On Dec 11, 2012, at 6:39 PM, Paul McNett <[email protected]> wrote:
>> Ok but how then on subsequent logins do you add the correct salt to make
>> sure the
>> comparison is accurate for their login access into the system?
>
> The unique salt is saved in the user table. When the user changes their
> password, a
> new unique salt is generated.
That's the standard method. There are other, newer hashing algorithms,
such as bcrypt, that eliminate that need. From the bcrypt page, some sample
code:
To generate the hash with salt:
# gensalt's log_rounds parameter determines the complexity.
# The work factor is 2**log_rounds, and the default is 12
hashed = bcrypt.hashpw(password, bcrypt.gensalt(10))
To validate a submitted password:
# Check that an unencrypted password matches one that has
# previously been hashed
if bcrypt.hashpw(password, hashed) == hashed:
print "It matches"
else:
print "It does not match"
I thought that this was too good to be true, but a few tests show it
works!
The other cool thing about bcrypt is that it is designed to take time,
rather than be super-quick. The reason for that is that while it's fast enough
for a user to check a single password, it is too expensive for a cracker to go
through tables full of millions of possibilities. The gensalt() method allows
you to control just how slow the process is.
-- Ed Leafe
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message:
http://leafe.com/archives/byMID/profox/[email protected]
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
