#1 2021-03-10 02:04:39

htits2008
Member
Registered: 2015-03-25
Posts: 34

salt in password

Hi,every one!
I see "salt" in password encryption. I want to find an easy way to provide different "salt" to generate different passwords. Prevent the password of "user" from overriding the password of "admin" to obtain permission. So what should I do?

Offline

#2 2021-03-10 02:54:14

htits2008
Member
Registered: 2015-03-25
Posts: 34

Re: salt in password

in the AuthUser table , data created by CreateMissingTables .
Admin , Supervisor , User , same PasswordHashHexa=67aeea294e1cb515236fd7829c55ec820ef888e8e221814d24d83b3dc4d825dd

Offline

#3 2021-03-10 07:47:19

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,655
Website

Re: salt in password

Did you search a little bit? It is explained in the doc and source code of TAuthUser.
When you set the password, you can use not the property but directly this method:

procedure TAuthUser.SetPassword(const aPasswordPlain, aHashSalt: RawUtf8;
  aHashRound: integer);

It will allow to customize the salt, and change the algorithm/round to use safer PBKDF2_HMAC_SHA256 algorithm for hashing.

There is no difference on server side: the hash is just stored and checked.
The hashing method should just be consistent on client side.

Offline

Board footer

Powered by FluxBB