Search code examples
cryptographybcryptsalt-cryptography

BCrypt generated + hard-coded Salt: Is this more safety?

I found a blog post about BCrypt and I'am not sure what is the Benefit ob adding the hard-coded Salt "^Y8~JJ" to the password?

The 'hashToStoreInDatabase' containing the salt and the crypted password, but not the hard-coded salt 'Y8~JJ'. So, if somebody steal the database it's useless for the hacker to generate an own rainbowtable with the salt (containing in the database) and the hashed password, because they never get the hard-coded salt 'Y8~JJ'.

(I knew that is already safety to save the salt and passwordhash togheter, because a rainbowtable is expencive to generate)

Is this using of BCrypt recommended?

Quote from: https://www.codeproject.com/articles/475262/useplusbcryptplustoplushashplusyourpluspasswords

private void SetPassword(string user, string userPassword)
{
   string pwdToHash = userPassword + "^Y8~JJ"; // ^Y8~JJ is my hard-coded salt
   string hashToStoreInDatabase = BCrypt.HashPassword(pwdToHash, BCrypt.GenerateSalt());
   using (SqlConnection sqlConn = new System.Data.SqlClient.SqlConnection(...)
   {
     sqlConn.Open();
     SqlCommand cmSql = sqlConn.CreateCommand();
     cmSql.CommandText = "UPDATE LOGINS SET PASSWORD=@parm1 WHERE USERNAME=@parm2";
     cmSql.Parameters.Add("@parm1", SqlDbType.Char);
     cmSql.Parameters.Add("@parm2", SqlDbType.VarChar);
     cmSql.Parameters["@parm1"].Value = hashToStoreInDatabase;
     cmSql.Parameters["@parm2"].Value = user;
     cmSql.ExecuteNonQuery();
   }
 }

private bool DoesPasswordMatch(string hashedPwdFromDatabase, string userEnteredPassword)
{
    return BCrypt.CheckPassword(userEnteredPassword + "^Y8~JJ", hashedPwdFromDatabase);
}
Solution

  • It is actually called pepper. The salt is stored in DB, but pepper is stored somewhere else then DB.

    The Wikipedia states as;

    A pepper performs a comparable role to a salt, but while a salt is not secret (merely unique) and can be stored alongside the hashed output, a pepper is secret and must not be stored with the output. The hash and salt are usually stored in a database, but a pepper must be stored separately (e.g. in a configuration file) to prevent it from being obtained by the attacker in case of a database breach.

    When the database hacked, the attacker cannot access the pepper, as a result, password search would be impossible even for weak passwords.

    In short, yes recommended.

    However, Bcrypt is old. One should use Argon2 as the winner of the password hashing competition.