Password salts #4249

florian-klemt · 2023-11-07T18:48:26Z

florian-klemt
Nov 7, 2023

Hi everyone,

I was wondering if passwords are salted by default. I don't see anything like that, so I presume no, but wanted to check first.

Answered by MrLeebo

Nov 7, 2023

Yes, they are salted.

blitz/packages/blitz-auth/src/server/secure-password.ts

Line 12 in fb232d1

const hashedBuffer = await SP().hash(Buffer.from(password))

the hash() function of secure-password applies the salt.

View full answer

MrLeebo · 2023-11-07T19:05:35Z

MrLeebo
Nov 7, 2023
Maintainer

Yes, they are salted.

blitz/packages/blitz-auth/src/server/secure-password.ts

Line 12 in fb232d1

const hashedBuffer = await SP().hash(Buffer.from(password))

the hash() function of secure-password applies the salt.

3 replies

florian-klemt Nov 7, 2023
Author

Ok, great 👍🏼
Just out of curiosity, shouldn't the salt be also stored in the db? How does it work in detail?

MrLeebo Nov 7, 2023
Maintainer

They're both stored sequentially in the same field. Essentially, it is this:

byteArray = [...salt, ...hash]

The db field is a byte array, the first 16 bytes are the salt. The remaining bytes are the password hash.

florian-klemt Nov 7, 2023
Author

Thank you very much

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Password salts #4249

{{title}}

Replies: 1 comment 3 replies

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Password salts #4249

florian-klemt Nov 7, 2023

Replies: 1 comment · 3 replies

MrLeebo Nov 7, 2023 Maintainer

florian-klemt Nov 7, 2023 Author

MrLeebo Nov 7, 2023 Maintainer

florian-klemt Nov 7, 2023 Author

florian-klemt
Nov 7, 2023

Replies: 1 comment 3 replies

MrLeebo
Nov 7, 2023
Maintainer

florian-klemt Nov 7, 2023
Author

MrLeebo Nov 7, 2023
Maintainer

florian-klemt Nov 7, 2023
Author