-1

Assume a client authenticates using the password, which includes hashing and salting. The hash values are stored in a remote database server.

Questions:

  1. For the hash values stored in the database side, salt is added already?

  2. The client sends the hash value to server for authentication. Is the salt added in this transmitted hash value? If yes, how can the client generate the same salt as server? If not, how to ensure the salt is same for both client and server?

  3. In real-life, what are the common ways to securely generate and store salt?

  4. How to periodically change the salt?

TJCLK
  • 828
  • 8
  • 23
  • 1
    Now it is *entirely* a duplicate of the other question. Also, clients should not be passing hashes, but the password. Why would you want to change the salt? – schroeder Jul 06 '18 at 08:46

1 Answers1

0

Most companies I know of are doing (or are moving towards) randomly-salted bcrypt, and the more security-aware usually add some sort of multi factor option like Time-based One Time Passwords.