You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2021-03-10 02:04:39
- htits2008
- Member
- Registered: 2015-03-25
- Posts: 31
salt in password
Hi,every one!
I see "salt" in password encryption. I want to find an easy way to provide different "salt" to generate different passwords. Prevent the password of "user" from overriding the password of "admin" to obtain permission. So what should I do?
Offline
#2 2021-03-10 02:54:14
- htits2008
- Member
- Registered: 2015-03-25
- Posts: 31
Re: salt in password
in the AuthUser table , data created by CreateMissingTables .
Admin , Supervisor , User , same PasswordHashHexa=67aeea294e1cb515236fd7829c55ec820ef888e8e221814d24d83b3dc4d825dd
Offline
#3 2021-03-10 07:47:19
Re: salt in password
Did you search a little bit? It is explained in the doc and source code of TAuthUser.
When you set the password, you can use not the property but directly this method:
procedure TAuthUser.SetPassword(const aPasswordPlain, aHashSalt: RawUtf8;
aHashRound: integer);It will allow to customize the salt, and change the algorithm/round to use safer PBKDF2_HMAC_SHA256 algorithm for hashing.
There is no difference on server side: the hash is just stored and checked.
The hashing method should just be consistent on client side.
Offline
Pages: 1