Salted Password Hashing - Doing it Right
A while ago, I wrote about how to store password safely.
Well, I found a better article explaining it. I know I’ve been guilt of reusing salt, but this makes a good point on why not to do that and how to fix it.
To Store a Password
- Generate a long random salt using a CSPRNG.
- Prepend the salt to the password and hash it with a standard cryptographic hash function such as SHA256 (Or bcrypt).
- Save both the salt and the hash in the user’s database record.
For the cryptographic hash function, bcrypt uses a technique known as key stretching, so use it!