Password salts #4249

florian-klemt · 2023-11-07T18:48:26Z

florian-klemt
Nov 7, 2023

Hi everyone,

I was wondering if passwords are salted by default. I don't see anything like that, so I presume no, but wanted to check first.

Answered by MrLeebo

Nov 7, 2023

Yes, they are salted.

blitz/packages/blitz-auth/src/server/secure-password.ts

Line 12 in fb232d1

const hashedBuffer = await SP().hash(Buffer.from(password))

the hash() function of secure-password applies the salt.

View full answer

MrLeebo · 2023-11-07T19:05:35Z

MrLeebo
Nov 7, 2023
Maintainer

Yes, they are salted.

blitz/packages/blitz-auth/src/server/secure-password.ts

Line 12 in fb232d1

const hashedBuffer = await SP().hash(Buffer.from(password))

the hash() function of secure-password applies the salt.

3 replies

florian-klemt Nov 7, 2023
Author

Ok, great 👍🏼
Just out of curiosity, shouldn't the salt be also stored in the db? How does it work in detail?

MrLeebo Nov 7, 2023
Maintainer

They're both stored sequentially in the same field. Essentially, it is this:

byteArray = [...salt, ...hash]

The db field is a byte array, the first 16 bytes are the salt. The remaining bytes are the password hash.

florian-klemt Nov 7, 2023
Author

Thank you very much

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Password salts #4249

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 3 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

Password salts #4249

Uh oh!

florian-klemt Nov 7, 2023

Replies: 1 comment · 3 replies

Uh oh!

MrLeebo Nov 7, 2023 Maintainer

Uh oh!

florian-klemt Nov 7, 2023 Author

Uh oh!

MrLeebo Nov 7, 2023 Maintainer

Uh oh!

florian-klemt Nov 7, 2023 Author

florian-klemt
Nov 7, 2023

Replies: 1 comment 3 replies

MrLeebo
Nov 7, 2023
Maintainer

florian-klemt Nov 7, 2023
Author

MrLeebo Nov 7, 2023
Maintainer

florian-klemt Nov 7, 2023
Author