Bcrypt should generate its own salts

pallets-eco / flask-security-3.0

Quick and simple security for Flask applications

MIT License

1.63k stars 512 forks source link

Bcrypt should generate its own salts #190

Closed nickretallack closed 10 years ago

nickretallack commented 10 years ago

I set SECURITY_PASSWORD_HASH = 'bcrypt' and then it complained that I didn't set SECURITY_PASSWORD_SALT. Bcrypt should generate its own salt for each password. Why does FlaskSecurity ask me to specify a salt?

mattupstate commented 10 years ago

That salt is for the HMAC signature, not for use with bcrypt. Passlib, the library used for hashing passwords, supplies a random salt for each password when using bcrypt.

nickretallack commented 10 years ago

What's the HMAC signature for?

The error I get is literally RuntimeError: The configuration valueSECURITY_PASSWORD_SALT must not be None when the value ofSECURITY_PASSWORD_HASHis set to "bcrypt"

It's raised here. I guess you're salting and hashing the password manually before you even hand it to bcrypt?

mattupstate commented 10 years ago

HMAC is applied for an extra layer of encryption in addition to bcrypt. Its certainly arguable if its necessary or not necessary. I chose to use this approach to get the "best of both worlds".