How to salt and pepper passwords?
HTML-код
- Опубликовано: 29 сен 2024
- How to salt your passwords? How to add "pepper" to salted passwords? What is the difference between salt and pepper?
This video would define the salt and pepper techniques and how they work.
Playlist: Basic Cryptography
• Private Key Encryption...
Advanced Cryptography:
• What is digital signat...
Please leave comments, questions and
please subscribe!
Sunny Classroom
Clear illustrations and examples are given. Really a good video for new learners to know more about salted hash and peppered hash. Thanks!
This channel is pure gold. Clear and concise information.
Thank you for the great lessons.
I need like each video to no see them two times...
1. Who generates the 'salt'? The user or some system?
2. When the user enters their password to authenticate, which system is aware of the salt to add it to the password that the user entered to run it through the hash algorithm?
3. I am assuming that since the salt is stored in the same DB as the user details, would a compromise of the DB mean that the user account (provided the attacker already knows the user password) is now compromised?
4. Is there a reason why the salt is stored in the same DB?
Stumbled upon this channel, ended up subscribing in the first minute :)
I am having the same doubt after listening to the video
garlic and napkin , that was funny at the end !
Thanks Sunny. Your videos are nicely put together. Pretty good material, delivery is clear and concise using nice animations, length is appropriate = Excellent job!!
So nice of you
I never comment on youtube, but you deserve it. It's amaznig, a very good explanation and really easy to understand.
Thank you very much! I appreciate .
You are the best with this method of explanation :)
Wouldn't you know it, Trump used the word "salt" as his salt for Twitter
I wish that you never quit providing this high-quality material. This channel is really underrated.
LOL! Tomorrow we might need garlic and napkin :D
sir you are saying that hash Algo is not reversible but in other video using crackstation u had get the pasword from multiple digest if it is not reversible then how this happen please reply.
Great question. The method is like this. The crackstation or hackers generate millions of digests/hashes and then match your hash, once they are the same, they know the original text. You can check my video called "dictionary attack or brute force attack", and you will find hackers use this method to hack our hashed passwords. thanks you for your great question.
Who the hell thumbed down on the video?!
Sunny, I am taking a course to become an IT support specialist. After I take my lessons, I always come to your channel to actually understand my teachers. hahaha. Thanks so much, you are the best!
You rock!
Very good explanation! So if I understood correctly, I can do this: Assign my users randomly generated passwords, don't use a salt, but should use a pepper to hash these passwords in my backend, so that insiders (to my db) cannot simply read the passwords there, correct?
Garlic = SMS text-message two-factor authentication (2FA)
Napkin = voice-based 2FA
Amazing content. Explained so well I would recommend this course to Einstein :) Thank you so much. This was so useful. Subscribed already and liked all the videos on this playlist.
😂😂 future will be onion, tomato,rice also.. you're video explanation very very good
WOW! came to learn real quick what salting is... stayed for the animations 😎
Now i think... what if i just invert user letters? Normal letters to caps-lock and reverse ?
Is it okay to store the user salts along with the user details in the database.
and should we encrypt user email id too or only the password?
I'm using AES to encrypt the user credentials
Thank you soooooooo much. Could you please explain more about how putting pepper to a password
Pepper is site-wide secret. for example, the programmer adds "sunny" to everyone's password. When Tom signs up for the first time, he chooses "abc123" as his password, as he submit his signup to the database, his password is abc123sunny.
Like a salt, pepper is a random value. But it is different from salt, because salt is unique value for each user, and pepper is for everyone in the database. In other words, a pepper is a site-wide static value. Pepper is not stored in the database. It is a secret.
for example, pepper is abcde
password: sunny
salt is: 12345
then my new password with salt and pepper would be a hash of "sunny12345abcde". the purpose is to make password more random.
@@sunnyclassroom24 ok then don't store the salt in the database from the beginning and make it site-wide static then no need to pepper, why not ?
@@sunnyclassroom24 so how about if someone type sunny as password he wouldn't get the user ?? Because the salt and paper will added automatically in the password
Sunny you have the best explanations for topics on the internet
Hi, Today's topic is Salt & Pepper.
Would i like some Salt & Pepper on my Omelette? I don't know, but, passwords can surely use it!
where did you get a salt? that consist of e54f2? thanks
a random value for each user
Please can you provide an example in java for salt & pepper implementation
Loved the salt and mixer animation :D too good.. One of the best explanations. Binge watching all ur videos
Thank you so much 😀
Thanks god. you exist in the world !!
Nice video. Good explanation of Salt/Pepper. Think next will be Ketchup and Mustard.
Thank you very much for your comment. I will watch if new technologies are coming out :)
I will save your chanel in my favorits
Where have you been or where I have been not able to find you.....................Your explanations are AMAZING.. Simple to understand. Critical for exams like CISSP where you are drilled on the concept !! Thanks for doing these
Wow, thank you!
is the salt supposed to be stored in the database for each user? Is salt something that a hacker would see?
yes, but it doesn't matter, since salt is not used to make a password more secret, it's used in order to not have a lot of identical passwords in a database, because in that case the attacker would find the most widely used password and try to crack it. if you salt your passwords, there will be no identical hashes, therefore a hacker would not know which passwords are actually identical
also salt helps with eliminating rainbow table attacks, since the attacker would need to generate a rainbow table for each salt, and it would take ages.
pepper, on the other hand, is not stored in a database, it's simply appended as a constant in the hashing function on your backend. thus, if only the database is leaked and the server sources stay intact, the passwords are basically uncrackable. the attacker would need to brute force the pepper, and if the pepper is long enough, it would not be feasible.
Fei chang hao! Xie xie ni, Sunny! Thank You! : ) ❤
Thank you sir. God bless you.👍😊👏👏
Really great content! But Ihave yet some open questions..
1) Is it always password+salt+pepper (+ meaning concat of these values)? Or is the order implementation specific?
2) What are decent ways to figure out salt & pepper once you have access to the database?
To me the most convenient way seems to be: create a new user with a simple password and try to crack the resulting hash that will be put into the database.
Also, does the Pepper change? I think it would be really strong if we would choose different pepper according to the timestamp for example?
Greetings, really enjoy your content! Hope you don't mind the questions.
If each password is randomized by the user. The salts and peppers are extra.
The problem is too many users. Use the same password on every damned thing.
With all the open source, free, and paid options for password database. It is just pointless.
A very good,very clear explanation.Thank you very much
Amazing lessons. Thank you so much Sunny.
You are welcome ! I appreciate .
These are great videos! Very simple to understand...
Many thanks for your nice comment.
Thanks a lot great explanation 😀😀🎉
@sunny Classroom
1. so when user1 choose "password123" the server will
(password123 +salt(unique value per user) +pepper (same value for all) ) >> Hashing and save the hash ???
2. the salt is saved in the DataBase, but the pepper isn't saved anywhere "hard coded" , and known for the server code only
Am i right ?
>>>>
Ps
2:45
4:47
user name header should be changed to user password ??
Great Job sunny .. Miss new videos
I keep coming back for the jokes
Visual explanation . Superb
It is extremely simple to understand
Thanks for the video!
thank you sir for the explanation
Garlic & Napkin is the best!
Great work 👍
Thank you!
Thanks man . Helped a lot with the playlist ! :)
Glad it helped!
Amazing Sunny!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Thank you so much for this =]
Nice explanation.
i have one query.
Salt+hash+pepper=total hash value stored in somewhere ?
Salt+hash=salter value stored in database ? and (salter hash+pepper) =final hash value stored somewhere after three hashed ?
Please reply me.
salt +hash + pepper = total hash will not be stored anywhere. It is only in the process of login. Thus man-in-the the middle attack will be avoided. Storage in any database would compromise the technologies.
@@sunnyclassroom24 okay. I mean after hashing salt+password+pepper this hash value stored in some secret place or database ?
Because in salter hashing case salt+password value stored in database only right ?
I think now you understand my question.
@@pt9606 Yes, they should be stored in the database with their user name.
Unfortunately you don't explain how the receiving server can validate a correct password if it is salted.. If it is random every time, how would the receiver know?
kind of spicy though
Thank you so much!!🌈
Monnsierur, that is a great channel! Clean, conscise - short but full of content. Great job - many thanks!
With salting of passwords, wouldn’t there have to be a database that has the salt stored so when you sign in, it’ll will have to match it up to your inputed password and then hash it to compare it with that saved digest? If the salt is random, how does it know what salt to add every time you sign in?
I loved this video
I think it was a perfect representation and explanation about hash, salt, and pepper. Thanx a lot.
You are awesome , all videos are good and well explained
Many thanks for your kind words.
This is a great explanation, but what, when or how does the salting take place?
Your videos are much informative and has got excellent content. Thanks !
I got a ques here. To avoid hacks, you had mentioned that hash is done on the whole set of (user pwd +salt+pepper), and hence the digest is created on a much complex data, which would be difficult to retrieve from lookups.
May I know how would the same user be authenticated when next time he logs in..? Would the salt and pepper be stored along with the user identity?
Good questions.
1) The more elements added, the more difficult to hack.
2) each user has a salt of his own
3) every user shares a pepper (secret only known but the system developer)
4) The same user still use his normal password in clear text, but it is hashed, then salted, and then pepper is added, then compare the result to the stored digest, if matched, the user is authenticated. The whole process is only used to hide the real plain text password.
Thanks for the clarification Sunny :)
@Sainath Sk the password remains the same as long as the user does not update her/his password.
the user only login with his password. Salt is saved in his database and pepper is site-wide secret shared with all users in the database. To a user, all he knows is his password.
Great video thanks, the effects are a bit loud tho
Thanks a lot for your advice. I have lowered the volume for most recent videos.
Thanks!!!
Thanks for the graphical explanation. This makes so much more sense.
Good job Mr!
Superb
thank you, Garlic and napkin :)
Most welcome 😊
You sound like Jian-Yang. Love the video tho!
LOL, true.
Sunny, I hope you read this.
You are amazing, the detail and explanation are to the point and very clear.
Kudos man !!
However, there is one thing, in my opinion of course, which can be improved and that is - that terrible music. It's just a recommendation - please change it.
Love your work.
Thank you !!
Yes, thanks a lot for your suggestion. The latest videos (last 50 videos) I try to cut the music or lower the volume. Thanks a lot for your advice. You are very welcome to point that out.
:) :) nice one Sunny!!
Thanks! 😊
Thank you for the digestible and tasteful explanation, could have used a bit less salt in the end ;)
Another satisfying video! :)
wow, I love you teaching. Thanks
Are Salts stored on the local machine? As there not stored in the database??
they are stored in the database of the server side.
I thought one was stored in the database & one was stored on the local machine? Doesn't storing All three, ie Salt/Password/Pepper in the database kind'ov defeat the object of having them
If a hacker compromises the database then they'd have all three parts
passwords and salts are compromised but not pepper, which is site-wide random value.
password is hashed and salt is random for each password in the database, but pepper is only known by the server, a secret not stored in the database.
I've never heard of pepper, it makes sense though
nice thx but pepper is not explained well
Thank you. Nicely done explanation.
How i know hash without i know password?
Greatly done Sunny...!
🥇🎖🏅
Very concise explanations!
Great Explanation!
Many thanks for your kind words!
You are awesome! thanks sir.....
Great class! loved it!
Thank you Sunny !
Is salt and pepper known as obfuscation?
I think you are correct, in essence.
You are awesome!
AWESOME !
Nice explaination dear.
Thanks a lot RK.
@@sunnyclassroom24 Sunny Classroom i have major queries that is,
1. If attacker had salter hashing database so he can do brute force attack and he can authenticated right ?
2.pepper if not stored in database than where it is stored ?
3. Salt and pepper=new hash value ?
4. pepper=new hash value ?
5. Some hackers hash value converts into plaintext is it possible ?
6. What is pre calculated hashs in rainbow table ?
Because these question from my one interviewer asked me that's why asking you dear.
Please give me reply.
@@rk.x01 1. yes. 2. Only wed developer/owner knows the pepper 3. password + salt+pepper =hash value 4. pepper is not hash value. salt is not hash value either 5. the hash value is not reversible but they can check against the candidate table. 6. pre-generated candidate hash table; Please check my three videos: hash function, dictionary attack and brute force attack videos you would understand how hash function work.
@@sunnyclassroom24 thank you.
@@rk.x01 You are welcome!
Trump!