It is good to salt (static) your password.
It is good to hash your salted password.
But it is not so difficult for attackers to breach these methods.
To add an extra layer of security, the principle of DYNAMIC SALTING emerged.
Dynamic salting is the act of using different salt for different users. These salts are generated newly each time a password has to be saved, whether through a password reset or new signup.
How can you implement DYNAMIC SALT/SALTING as a developer?
Here are 5 simple steps to achieve strong password security via dynamic salting:
A. For new signup
- get the user's password (e.g. myP@$swaRd)
- generate a new salt (e.g. 8jdn*nY4rg^s@1)
- salt the password to give 8jdn*nY4rg^s@1myP@$swaRd, you can put the password first, the order does not matter.
- then hash the password, to give something like c150eb6c1b776f390be60a0a5933a2a2f8c0a0ce766ed92fea5bfd9313c8f
- save the hash to the db, also save the salt to the db in the record on this user.
B. to authenticate (confirm) a user
- get the email and password a user is trying to login with
- use the email to retrieve the salt from the DB
- use the retrieved salt to salt the inputted password.
- using the same formula you used when creating the password as a new user, hash the result of step 3
- compare the result of step 4 with the password you retrieved in step 1
Follow and tweet @wahabind