Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Support the creation of a unique salt for each user
See original GitHub issueFrom http://crackstation.net/hashing-security.htm:
The most common salt implementation errors are reusing the same salt in multiple hashes, or using a salt that is too short.
Salt Reuse
A common mistake is to use the same salt in each hash. Either the salt is hard-coded into the program, or is generated randomly once. This is ineffective because if two users have the same password, they’ll still have the same hash. An attacker can still use a reverse lookup table attack to run a dictionary attack on every hash at the same time. They just have to apply the salt to each password guess before they hash it. If the salt is hard-coded into a popular product, lookup tables and rainbow tables can be built for that salt, to make it easier to crack hashes generated by the product.
A new random salt must be generated each time a user creates an account or changes their password."
Upon user signup, a new salt should be created and stored in the newly created User object.
If the application uses bcrypt, the best way to generate a salt would be as follows:
import bcrypt
salt = bcrypt.gensalt()
Issue Analytics
- State:
- Created 10 years ago
- Comments:13 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Agree with teloon. The name is missleading, because if the passlib is already generating the salt per user, why do we even need a static salt for the whole application? If it is a key to HMAC for the whole application, then it serves a different purpose. If the database is stolen (with the salts), then an attacker won’t be able to crack a specific password (targeted attack), because there’s the application HMAC key that is not stored in the database. This is a legitimate use. If that’s the purpose of that variable specified during the configuration time, then it should be noted so in the documentation.
Could this be added to the documentation? It took me a while to decide whether or not to use Flask-Security, because I thought the documentation implied that only one salt was used for all users.