Forgive me, as I am very new to cryptography, but it seems interesting, and I ha
ID: 660031 • Letter: F
Question
Forgive me, as I am very new to cryptography, but it seems interesting, and I have a question.
I'll state my beliefs and please feel free to correct me on the aspects that I'm mistaken so i can learn:
Here's what I think I know:
1. When trying to protect a password, it goes through a hash function (i.e. SHA-1), and the resulting hash is stored in the database instead of the actual password itself.
2. Any time one attempts to log in, and they type in their password, their entry gets hashed and then compared to the hash value in the database
3. So does this mean that for a given login system, if i type "password1", it always has the same hash value?
4. If that is the case, then wouldnt all members of a login system who have the same password also have the same hash value in the database? Or is there an additional form of security/differentiation implemented for each user so that my "password1" does not come out to the same hash value as the "password1" of another user?
Explanation / Answer
Yes, sort of. Ideally two values are stored. A unique salt, and a hash of the salt+password. A globally unique salt is generated and stored for each password.
Again, sort of. First the salt for that user account is retrieved from the database, then the salt+password is hashed and compared to the hash value sotred in the database.
No, because the salt will be different for each user, resulting in a different final hash value for each user.
See 3. The salt is the additional security/differentiation component that prevents the hashes from being the same.