Question
I understand the idea of hash+salt when I create new entry to dtb. If I have some fixed string for the salt it might not be hard to implement it, but how to do it, when I want to use for example user's birthday as a salt? Saving that password to database is easy, but how to hash this during login? I've googled this piece of code for my applicationContext-security.xml file, where they use username value for salt:
https://stackoverflow.com/questions/18273431
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian<!-- authentication from database -->
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service
data-source-ref="dataSource"
users-by-username-query="
select username,password, enabled
from users where username=?"authorities-by-username-query="
select u.username, ur.authority from users u, user_roles ur
where u.user_id = ur.user_id and u.username =? " />
<security:password-encoder hash="sha-256">
<security:salt-source user-property="username" />
</security:password-encoder-->
</security:authentication-provider>
</security:authentication-manager>
So if I understand it correctly, it means, that if I would like to use user's birthday as salt, I would have to have it stored in my dtb, pull it out from dtb and then use it as a salt? It doesn't make sense to me, because if I have in my users table columns username, password, birthday, then the password can be hashed, but for the possible attacker is it quite clear, that the birthday value will be used as salt. Is there something I'm missing or does it really work so?
Solution
The goal of using salts is to protect user's password in case of a database dump from a hacker. Because a hash is a one way conversion (you can't reverse the conversion to get the plain text password) hackers are using dictionary of hash to guess user's password (using common passphrases). So adding a salt will add an additional protection layer against this type of attack.
From wikipedia:
OTHER TIPS
The salt is not sensitive information, it doesn't matter if it is disclosed. The salt simply prevents rainbow table attacks on hashes. Note that salt should have a fairly high level of entropy, and the birthday may not be as secure as, say, 32 bytes from SecureRandom.
