A new salt should be randomly generated for each user and each time they change their password as a minimum. Don’t just rely on a site wide salt for example, as that defeats the point of using a salt in the first place. Using a unique salt for each user is so that if two … Read more
>>> import random >>> ALPHABET = “0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ” >>> chars=[] >>> for i in range(16): chars.append(random.choice(ALPHABET)) >>> “”.join(chars) ‘wE9mg9pu2KSmp5lh’ This should work.
The salt just needs to be random and unique. It can be freely known as it doesn’t help an attacker. Many systems will store the plain text salt in the database in the column right next to the hashed password. The salt helps to ensure that if two people (User A and User B) happen … Read more
The point of the salt is to be unique. The salt is meant to prevent attack cost sharing, i.e. an attacker trying to attack two hashed passwords for less than the twice the cost of attacking one. One solution to ensure uniqueness is to generate a random salt in a wide enough space. Therefore, getting … Read more
I am definitely not an expert, but the really short answer is that “salting” a line of text means to stick a few extra characters on the end of it. You could salt “salt” with “abcdefg” to get “saltabcdefg”. This might be useful if “salt” happens to be a password that you’d like to make … Read more
Samir’s answer is correct but somewhat cryptic. Basically, the salt is just a randomly derived bit of data that you prefix or postfix your data with to dramatically increase the complexity of a dictionary attack on your hashed value. So given a salt s and data d you’d just do the following to generate a … Read more
Inspired from this post and that post, I use this code to generate and verify hashed salted passwords. It only uses JDK provided classes, no external dependency. The process is: you create a salt with getNextSalt you ask the user his password and use the hash method to generate a salted and hashed password. The … Read more
I’ll mark this as answered, as I solved my problem and no other comments or answers were given: Edit 1 – Alternative 1 answers the original question BUT I had to learn that customized password salting is a legacy approach that is not needed in Spring Security 3.1 any more, as I describe in Edit … Read more
The point of a salt is to prevent attackers from amortizing the cost of a brute force attack across sites (or better yet, when using a different salt for each user: all users of a site) through precomputed rainbow tables. With plain hashing, an attacker can compute such a table once (a very long, costly … Read more