Open johndows opened 6 years ago
kumorig
commented
6 years ago The salt is baked into the hash. It uses pbkdf2 which bakes in the salt on the first iteration. You still need to store the salt somewhere of course or you'll never be able to verify passwords. But there is no security gain in storing salt in one field instead of two.
I'm not related to this project in any way, but all security concerns are valid so keep em coming.
johndows
commented
5 years ago @kumorig I understand what you're saying but if we store the salt in the database separately aren't we making it easier for people to do dictionary attacks?
If the database is breached they will have the salt right there to use.
On the contrary, if we have the salt in the source code itself and the method knows which type of salt is considering, isn't that safer? And having on the DB only the password with hash mixed with salt like some packages do.
Thanks for the explanation
Hello,
When the register method is called, it stores an hash and a salt separately. It's not possible to query them. But is this the best practice in terms of security? Shouldn't it store only the hash and the salt in the same string to avoid Dictionary Attacks?
Thank you