« Back to Index

Storing Passwords (salt + pepper)

View original Gist on GitHub

Storing Passwords.md

To Store a Password

• Generate a long random salt using a CSPRNG.
• Prepend the salt to the password and hash it with a standard password hashing function like Argon2, bcrypt, scrypt, or PBKDF2.
• Save both the salt and the hash in the user’s database record.

To Validate a Password

• Retrieve the user’s salt and hash from the database.
• Prepend the salt to the given password and hash it using the same hash function.
• Compare the hash of the given password with the hash from the database.
• If they match, the password is correct. Otherwise, the password is incorrect.

Example CSPRNG

• https://docs.python.org/3/library/os.html#os.urandom
• http://www.rubydoc.info/stdlib/securerandom/1.9.3/SecureRandom
• https://en.m.wikipedia.org/wiki//dev/random