Password Security using Salt and Pepper
In cryptography, salt is a secret added to a password before hashing it. Pepper is like salt but it is not stored in the database along with the password hash.
In a highly insecure application, user passwords are stored in plain text in the database. If a hacker gets access to the database, all passwords are compromised.
It does not matter if it's a simple password (12345) or a complex one (uwBX9EeTEsr^df7jSdQ8). All passwords are compromised!!
A slightly better approach is to hash the passwords using a fast hash (e.g. sha256) and then store only the hashes in the database.
But remember that the exact same hash is generated for a particular input. So if multiple users have the same password, the hashes will be identical.
A much better approach is to use a slow hash (e.g. bcrypt). One reason is that there are multiple valid hashes for any particular input e.g. these are valid hashes for rohas:
$2y$10$te9pyTKUm9ZvFaok0AVsrOsEszdwlzGEypmHg2wG6EB3azcP/4pcS
$2y$10$8mHEn182PCY5kc5kvkBhGuR95OugQnHVSYgRIUmIWRlKtqX1cM59S
$2y$10$VyErs5Ze0W0rvopbgub1NeedvOCV8fihsYXqziLFOBGOzSOp3IqvG
Salt and pepper
You can exponentially increase security by using salt and pepper.
In cryptography, salt is a secret added to a password before hashing it. The salt and the resulting hash are stored in the database. This makes it tougher for a hacker using rainbow tables to brute force passwords.
Pepper is like salt but it is not stored in the database along with the password hash. The pepper can be the same for all users and is stored in a separate location.
Need code samples for salt and pepper?
Join the free Web3 Developer Course by Rohas Nagpal.
Hey Rohas! Great take. We’re launching our NFT collection's community of the most active web3 contributors, motivated by one vision:
-push web3 education forward
We like to invite you to the society 🥷
We're forming a network of creators & builders for which we deliver a series of mini products, broader vision is to scale a web3 learning platform. DMs are open here or on Twitter :)