Matching Hashed + Salted Passwords
Question
I'm learning about encryption and security and I'm a little confused by a (possibly simple) concept.
I understand how hashing and salts work for the most part, but I don't understand how functions match passwords. For example, here is part of passlib's documentation:
>>> # import the hash algorithm
>>> from passlib.hash import sha256_crypt
>>> # generate new salt, and hash a password
>>> hash = sha256_crypt.encrypt("toomanysecrets")
>>> hash
'$5$rounds=80000$zvpXD3gCkrt7tw.1$QqeTSolNHEfgryc5oMgiq1o8qCEAcmye3FoMSuvgToC'
>>> # verifying the password
>>> sha256_crypt.verify("toomanysecrets", hash)
True
>>> sha256_crypt.verify("joshua", hash)
False
On the 4th line, it mentions generating a new salt, but as far as I can tell the salt is never stored alongside the password.
Why can I can store the hashed password as a string in a database and verify it later without providing a salt?
1 answers
solution1
3 2015-04-27 18:44:27
Per the documentation :
An sha256-crypt hash string has the format
$5$rounds=rounds$salt$checksum
The salt (in your case 'zvpXD3gCkrt7tw.1' ) is stored within the string itself ; that's why it doesn't need to be stored separately.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.