Password Hashes and Salts

Question

Password Hashes and Salts

Meatballs1 opened this issue 10 years ago · 7 comments

Should the PasswordHash class be able to store a salt?

Answer 1 · 2014-07-21T21:13:48.000Z

If I'm not mistaken, salt is usually part of the hash if it came from a shadow file, e.g. root:$1$<salt>$<salted md5>:0:::.

There might be some situations where we get them as separate entities, but then they could be composed into the format john expects.

Answer 2 · 2014-07-21T21:18:07.000Z

yeah, that's kind of the assumption. although the salt would be at a predictable location, so making it a separately accessible attribute as well wouldn't necessarily be that hard. you could still have it in the raw data, but also have it called out specifically in a salt attribute. not sure if there's any particular value to doing so, but it probably wouldn't be much work.

Answer 3 · 2014-07-21T21:29:42.000Z

@jlee-r7 If you are grabbing hashes and salts from a database it wont be like that. On the flipside why would you store them like that if databases store them separately? :)

Answer 4 · 2014-07-21T21:30:33.000Z

P.s. other hash cracking tools are available

Answer 5 · 2014-07-22T00:41:39.000Z

We'll gladly accept support for 3rd-party tools from the community, but only with rspec unit test and cucumber integration tests so we can guarantee their continued functionality. (The need for these tests is to ensure we can change the rest of libraries without breaking integration for tools we don't use regularly. If there aren't tests, then any code is an implementation detail and subject to removal.) Unfortunately, our team just isn't big enough to do every possible integration. We are unlikely to add 3rd-party tool support on our own unless we're actively using those tools internally or have request for those integrations from our paying Pro customers.

Answer 6 · 2014-07-22T16:13:20.000Z

@Meatballs1 @limhoff-r7 We will add support for anything reasonable, especially if the community wants to submit patches for said support. While commercial editions considerations are strong here, they are not the only driver.

@Meatballs1: patches for 3rd party cracking tools are gladly accepted assuming that they meet code requirements and don't break other integrations.

Answer 7 · 2016-11-08T19:41:47.000Z

I don't think putting the salt in a separate column really helps anything. If a compelling reason comes up we can revisit.