How would you add salt to your existing password hashes?

前端 未结 8 1681
心在旅途
心在旅途 2021-02-08 06:08

I have a database of hashed passwords that had no salt added before they were hashed. I want to add salt to new passwords. Obviously I can\'t re-hash the existing ones.

<
相关标签:
8条回答
  • 2021-02-08 06:26

    Create a new field in you're database named "salted" with a type of true/false (or whatever the equivalent is in your DBMS). Set all the values to false for the existing hashes. Whenever a new, salted, hash is added, set the "salted" field to true.

    Then, all you have to do is handle the two types of hashes differently in your code.

    This is more of a general solution than a specific one, but it should solve your problem.

    0 讨论(0)
  • 2021-02-08 06:28

    You could add a column, consisting of a flag showing whether the user has an old (no salt) or a new (with salt) hash.

    A good idea is, at that point, to force all users to change their passwords upon sign in. This way you can get rid of that column eventually.

    0 讨论(0)
  • 2021-02-08 06:37

    If you are storing the salt inside the hash, it should be fairly straight forward to determine if a salt is included by checking the length of the hash. If there isn't a salt, just hash the password, if there is a salt, hash the password + salt.

    You shouldn't need a boolean column in your database.

    0 讨论(0)
  • 2021-02-08 06:37

    As a quick fix, you could create a salt column in the database, and when a user logs in correctly matching the old hash, you can then use that password that they entered with a salt and create a new hash.

    0 讨论(0)
  • 2021-02-08 06:39

    Sure you can. Just add a salt to the existing hash and hash it again. Of course this will require any future logins to go through the same process meaning two hash functions will need to be called but lots of legitimate patterns do this anyway so it doesn't smell as bad as you might think.

    Salting a password is an effort to defend against rainbow tables. In this case the salt does not need to be a secret.

    http://en.wikipedia.org/wiki/Rainbow_tables#Defense_against_rainbow_tables

    You can actually see in the article

    hash = MD5 (MD5 (password) . salt)
    

    Which is the same exact method you would be using. (Except a different hashing function.)

    0 讨论(0)
  • 2021-02-08 06:43

    The best way I store my salt is that I embed the salt value within the password hash + salt I have just created. I don't append the salt string to the beginning or end of the hash, I literally embed the salt into the hash.

    0 讨论(0)
提交回复
热议问题