How to salt and pepper passwords?
Рет қаралды 64,233
6 жыл бұрынHow to salt your passwords? How to add "pepper" to salted passwords? What is the difference between salt and pepper?
This video would define the salt and pepper techniques and how they work.
Playlist: Basic Cryptography
• Private Key Encryption...
Advanced Cryptography:
• What is digital signat...
Please leave comments, questions and
please subscribe!
Sunny Classroom
@maxechendu6693 6 жыл бұрын
This channel is pure gold. Clear and concise information. Thank you for the great lessons.
@lsaavedr 3 жыл бұрын
I need like each video to no see them two times...
@thedude3544 5 жыл бұрын
garlic and napkin , that was funny at the end !
@abdalsattarardati5203 6 жыл бұрын
I wish that you never quit providing this high-quality material. This channel is really underrated.
@davidr.flores2043 3 жыл бұрын
Thanks Sunny. Your videos are nicely put together. Pretty good material, delivery is clear and concise using nice animations, length is appropriate = Excellent job!!
@sunnyclassroom24 3 жыл бұрын
So nice of you
@anson0714 5 жыл бұрын
Clear illustrations and examples are given. Really a good video for new learners to know more about salted hash and peppered hash. Thanks!
@socorreitor 4 жыл бұрын
I never comment on youtube, but you deserve it. It's amaznig, a very good explanation and really easy to understand.
@sunnyclassroom24 4 жыл бұрын
Thank you very much! I appreciate .
@tomaszhorczynski3170 2 жыл бұрын
Monnsierur, that is a great channel! Clean, conscise - short but full of content. Great job - many thanks!
@thecyrusj13 Жыл бұрын
Thanks for the graphical explanation. This makes so much more sense.
@zainbensaleh1762 6 жыл бұрын
You are the best with this method of explanation :)
@billyffa 3 жыл бұрын
Sunny, I am taking a course to become an IT support specialist. After I take my lessons, I always come to your channel to actually understand my teachers. hahaha. Thanks so much, you are the best!
@sunnyclassroom24 3 жыл бұрын
You rock!
@bijaygurung2078 4 жыл бұрын
Amazing lessons. Thank you so much Sunny.
@sunnyclassroom24 4 жыл бұрын
You are welcome ! I appreciate .
@DJAlax909 2 жыл бұрын
WOW! came to learn real quick what salting is... stayed for the animations 😎
@sefakpsz 2 жыл бұрын
I think it was a perfect representation and explanation about hash, salt, and pepper. Thanx a lot.
@lef1040 2 жыл бұрын
Very concise explanations!
@or251j 2 жыл бұрын
Great class! loved it!
@malshamadushani5456 4 жыл бұрын
A very good,very clear explanation.Thank you very much
@asoteico9528 4 жыл бұрын
Greatly done Sunny...! 🥇🎖🏅
@sylvesterbello6434 4 жыл бұрын
wow, I love you teaching. Thanks
@gdorlexa 6 жыл бұрын
These are great videos! Very simple to understand...
@sunnyclassroom24 6 жыл бұрын
Many thanks for your nice comment.
@malikadabare3719 4 жыл бұрын
Thank you. Nicely done explanation.
@BijouBakson 4 жыл бұрын
Amazing content. Explained so well I would recommend this course to Einstein :) Thank you so much. This was so useful. Subscribed already and liked all the videos on this playlist.
@a.hemlata7521 2 жыл бұрын
Visual explanation . Superb
@marcosalameh8677 2 жыл бұрын
Amazing Sunny!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
@patryk2700 3 жыл бұрын
Another satisfying video! :)
@giorgi23 3 жыл бұрын
Good job Mr!
@rainron2664 3 жыл бұрын
Thank you sir. God bless you.👍😊👏👏
@rahuls331 3 жыл бұрын
Thank you Sunny !
@meliodas.1108 3 жыл бұрын
Thanks man . Helped a lot with the playlist ! :)
@sunnyclassroom24 3 жыл бұрын
Glad it helped!
@kirstenmeates8248 6 жыл бұрын
Great Explanation!
@sunnyclassroom24 6 жыл бұрын
Many thanks for your kind words!
@anthonyholleran9378 11 ай бұрын
Fei chang hao! Xie xie ni, Sunny! Thank You! : ) ❤
@rajivraghu9857 3 жыл бұрын
Loved the salt and mixer animation :D too good.. One of the best explanations. Binge watching all ur videos
@sunnyclassroom24 3 жыл бұрын
Thank you so much 😀
@supriyatenny3744 4 жыл бұрын
Great work 👍
@sunnyclassroom24 4 жыл бұрын
Thank you!
@walterwhite1186 Жыл бұрын
Thanks a lot great explanation 😀😀🎉
@alisonnunez9739 3 жыл бұрын
Thank you so much!!🌈
@vivekprajapati7911 5 жыл бұрын
You are awesome! thanks sir.....
@iiN1GH7M4R3ii 2 жыл бұрын
thank you sir for the explanation
@enjoysharingcaring 2 жыл бұрын
It is extremely simple to understand
@C0ttageChees Жыл бұрын
Thank you so much for this =]
@josephselvaraj8359 5 жыл бұрын
You are awesome , all videos are good and well explained
@sunnyclassroom24 5 жыл бұрын
Many thanks for your kind words.
@twishasahay3178 Жыл бұрын
I loved this video
@armandocabrales7400 5 жыл бұрын
You are awesome!
@chetanvyas3479 Жыл бұрын
Superb
@mibrahim4245 5 жыл бұрын
AWESOME !
@user-kw9ne4br3d Жыл бұрын
Thanks!!!
@mugume 3 жыл бұрын
:) :) nice one Sunny!!
@sunnyclassroom24 3 жыл бұрын
Thanks! 😊
@luvkashyap 3 жыл бұрын
Where have you been or where I have been not able to find you.....................Your explanations are AMAZING.. Simple to understand. Critical for exams like CISSP where you are drilled on the concept !! Thanks for doing these
@sunnyclassroom24 3 жыл бұрын
Wow, thank you!
@tubingforever Жыл бұрын
LOL! Tomorrow we might need garlic and napkin :D
@danielrice5474 6 жыл бұрын
Nice video. Good explanation of Salt/Pepper. Think next will be Ketchup and Mustard.
@sunnyclassroom24 6 жыл бұрын
Thank you very much for your comment. I will watch if new technologies are coming out :)
@zainbensaleh1762 6 жыл бұрын
I will save your chanel in my favorits
@disasterromio 5 жыл бұрын
@sunny Classroom 1. so when user1 choose "password123" the server will (password123 +salt(unique value per user) +pepper (same value for all) ) >> Hashing and save the hash ??? 2. the salt is saved in the DataBase, but the pepper isn't saved anywhere "hard coded" , and known for the server code only Am i right ? >>>> Ps 2:45 4:47 user name header should be changed to user password ?? Great Job sunny .. Miss new videos
@111michiel 5 жыл бұрын
Thank you for the digestible and tasteful explanation, could have used a bit less salt in the end ;)
@brierepooc8987 3 жыл бұрын
This is a great explanation, but what, when or how does the salting take place?
@rk4385 4 жыл бұрын
Nice explaination dear.
@sunnyclassroom24 4 жыл бұрын
Thanks a lot RK.
@rk4385 4 жыл бұрын
@@sunnyclassroom24 Sunny Classroom i have major queries that is, 1. If attacker had salter hashing database so he can do brute force attack and he can authenticated right ? 2.pepper if not stored in database than where it is stored ? 3. Salt and pepper=new hash value ? 4. pepper=new hash value ? 5. Some hackers hash value converts into plaintext is it possible ? 6. What is pre calculated hashs in rainbow table ? Because these question from my one interviewer asked me that's why asking you dear. Please give me reply.
@sunnyclassroom24 4 жыл бұрын
@@rk4385 1. yes. 2. Only wed developer/owner knows the pepper 3. password + salt+pepper =hash value 4. pepper is not hash value. salt is not hash value either 5. the hash value is not reversible but they can check against the candidate table. 6. pre-generated candidate hash table; Please check my three videos: hash function, dictionary attack and brute force attack videos you would understand how hash function work.
@rk4385 4 жыл бұрын
@@sunnyclassroom24 thank you.
@sunnyclassroom24 4 жыл бұрын
@@rk4385 You are welcome!
@themetalnoir2233 4 жыл бұрын
Hi, Today's topic is Salt & Pepper. Would i like some Salt & Pepper on my Omelette? I don't know, but, passwords can surely use it!
@tornoutlaw Жыл бұрын
Very good explanation! So if I understood correctly, I can do this: Assign my users randomly generated passwords, don't use a salt, but should use a pepper to hash these passwords in my backend, so that insiders (to my db) cannot simply read the passwords there, correct?
@VikasSequeira 4 жыл бұрын
1. Who generates the 'salt'? The user or some system? 2. When the user enters their password to authenticate, which system is aware of the salt to add it to the password that the user entered to run it through the hash algorithm? 3. I am assuming that since the salt is stored in the same DB as the user details, would a compromise of the DB mean that the user account (provided the attacker already knows the user password) is now compromised? 4. Is there a reason why the salt is stored in the same DB? Stumbled upon this channel, ended up subscribing in the first minute :)
@vinayk4061 4 жыл бұрын
I am having the same doubt after listening to the video
@dayumnson9769 3 жыл бұрын
Really great content! But Ihave yet some open questions.. 1) Is it always password+salt+pepper (+ meaning concat of these values)? Or is the order implementation specific? 2) What are decent ways to figure out salt & pepper once you have access to the database? To me the most convenient way seems to be: create a new user with a simple password and try to crack the resulting hash that will be put into the database. Also, does the Pepper change? I think it would be really strong if we would choose different pepper according to the timestamp for example? Greetings, really enjoy your content! Hope you don't mind the questions.
@jamesedwards3923 3 жыл бұрын
If each password is randomized by the user. The salts and peppers are extra. The problem is too many users. Use the same password on every damned thing. With all the open source, free, and paid options for password database. It is just pointless.
@ravensmith5045 6 жыл бұрын
Thank you soooooooo much. Could you please explain more about how putting pepper to a password
@sunnyclassroom24 6 жыл бұрын
Pepper is site-wide secret. for example, the programmer adds "sunny" to everyone's password. When Tom signs up for the first time, he chooses "abc123" as his password, as he submit his signup to the database, his password is abc123sunny.
@sunnyclassroom24 5 жыл бұрын
Like a salt, pepper is a random value. But it is different from salt, because salt is unique value for each user, and pepper is for everyone in the database. In other words, a pepper is a site-wide static value. Pepper is not stored in the database. It is a secret. for example, pepper is abcde password: sunny salt is: 12345 then my new password with salt and pepper would be a hash of "sunny12345abcde". the purpose is to make password more random.
@mibrahim4245 5 жыл бұрын
@@sunnyclassroom24 ok then don't store the salt in the database from the beginning and make it site-wide static then no need to pepper, why not ?
@robinhood3841 4 жыл бұрын
@@sunnyclassroom24 so how about if someone type sunny as password he wouldn't get the user ?? Because the salt and paper will added automatically in the password
@vaishakhmr5144 5 жыл бұрын
Your videos are much informative and has got excellent content. Thanks ! I got a ques here. To avoid hacks, you had mentioned that hash is done on the whole set of (user pwd +salt+pepper), and hence the digest is created on a much complex data, which would be difficult to retrieve from lookups. May I know how would the same user be authenticated when next time he logs in..? Would the salt and pepper be stored along with the user identity?
@sunnyclassroom24 5 жыл бұрын
Good questions. 1) The more elements added, the more difficult to hack. 2) each user has a salt of his own 3) every user shares a pepper (secret only known but the system developer) 4) The same user still use his normal password in clear text, but it is hashed, then salted, and then pepper is added, then compare the result to the stored digest, if matched, the user is authenticated. The whole process is only used to hide the real plain text password.
@vaishakhmr5144 5 жыл бұрын
Thanks for the clarification Sunny :)
@sunnyclassroom24 5 жыл бұрын
@Sainath Sk the password remains the same as long as the user does not update her/his password.
@sunnyclassroom24 5 жыл бұрын
the user only login with his password. Salt is saved in his database and pepper is site-wide secret shared with all users in the database. To a user, all he knows is his password.
@vijaypandey1372 2 жыл бұрын
Thanks god. you exist in the world !!
@ChetanRawattunein 3 жыл бұрын
Is it okay to store the user salts along with the user details in the database. and should we encrypt user email id too or only the password? I'm using AES to encrypt the user credentials
@chino9468 5 жыл бұрын
With salting of passwords, wouldn’t there have to be a database that has the salt stored so when you sign in, it’ll will have to match it up to your inputed password and then hash it to compare it with that saved digest? If the salt is random, how does it know what salt to add every time you sign in?
@danielnease2230 9 ай бұрын
I keep coming back for the jokes
@leesubiramaniyam2704 2 ай бұрын
😂😂 future will be onion, tomato,rice also.. you're video explanation very very good
@angelobuenavente9926 5 жыл бұрын
where did you get a salt? that consist of e54f2? thanks
@sunnyclassroom24 5 жыл бұрын
a random value for each user
@muhammadrehmankhan6073 4 жыл бұрын
sir you are saying that hash Algo is not reversible but in other video using crackstation u had get the pasword from multiple digest if it is not reversible then how this happen please reply.
@sunnyclassroom24 4 жыл бұрын
Great question. The method is like this. The crackstation or hackers generate millions of digests/hashes and then match your hash, once they are the same, they know the original text. You can check my video called "dictionary attack or brute force attack", and you will find hackers use this method to hack our hashed passwords. thanks you for your great question.
@aashishgupta8547 5 жыл бұрын
Sunny, I hope you read this. You are amazing, the detail and explanation are to the point and very clear. Kudos man !! However, there is one thing, in my opinion of course, which can be improved and that is - that terrible music. It's just a recommendation - please change it. Love your work. Thank you !!
@sunnyclassroom24 5 жыл бұрын
Yes, thanks a lot for your suggestion. The latest videos (last 50 videos) I try to cut the music or lower the volume. Thanks a lot for your advice. You are very welcome to point that out.
@RishabhiVlogs 2 жыл бұрын
Please can you provide an example in java for salt & pepper implementation
@pt9606 4 жыл бұрын
Nice explanation. i have one query. Salt+hash+pepper=total hash value stored in somewhere ? Salt+hash=salter value stored in database ? and (salter hash+pepper) =final hash value stored somewhere after three hashed ? Please reply me.
@sunnyclassroom24 4 жыл бұрын
salt +hash + pepper = total hash will not be stored anywhere. It is only in the process of login. Thus man-in-the the middle attack will be avoided. Storage in any database would compromise the technologies.
@pt9606 4 жыл бұрын
@@sunnyclassroom24 okay. I mean after hashing salt+password+pepper this hash value stored in some secret place or database ? Because in salter hashing case salt+password value stored in database only right ? I think now you understand my question.
@sunnyclassroom24 4 жыл бұрын
@@pt9606 Yes, they should be stored in the database with their user name.
@shubmakes 5 жыл бұрын
You sound like Jian-Yang. Love the video tho!
@thembadantye4212 3 жыл бұрын
LOL, true.
@TheGuroguro12 2 жыл бұрын
thank you, Garlic and napkin :)
@sunnyclassroom24 2 жыл бұрын
Most welcome 😊
@KoepenickDrums 4 жыл бұрын
Unfortunately you don't explain how the receiving server can validate a correct password if it is salted.. If it is random every time, how would the receiver know?
@himbary 5 жыл бұрын
Great video thanks, the effects are a bit loud tho
@sunnyclassroom24 5 жыл бұрын
Thanks a lot for your advice. I have lowered the volume for most recent videos.
@landonrivers 4 жыл бұрын
is the salt supposed to be stored in the database for each user? Is salt something that a hacker would see?
@Kitulous 2 жыл бұрын
yes, but it doesn't matter, since salt is not used to make a password more secret, it's used in order to not have a lot of identical passwords in a database, because in that case the attacker would find the most widely used password and try to crack it. if you salt your passwords, there will be no identical hashes, therefore a hacker would not know which passwords are actually identical also salt helps with eliminating rainbow table attacks, since the attacker would need to generate a rainbow table for each salt, and it would take ages. pepper, on the other hand, is not stored in a database, it's simply appended as a constant in the hashing function on your backend. thus, if only the database is leaked and the server sources stay intact, the passwords are basically uncrackable. the attacker would need to brute force the pepper, and if the pepper is long enough, it would not be feasible.
@taospencer1403 5 жыл бұрын
Are Salts stored on the local machine? As there not stored in the database??
@sunnyclassroom24 5 жыл бұрын
they are stored in the database of the server side.
@taospencer1403 5 жыл бұрын
I thought one was stored in the database & one was stored on the local machine? Doesn't storing All three, ie Salt/Password/Pepper in the database kind'ov defeat the object of having them
@taospencer1403 5 жыл бұрын
If a hacker compromises the database then they'd have all three parts
@sunnyclassroom24 5 жыл бұрын
passwords and salts are compromised but not pepper, which is site-wide random value.
@sunnyclassroom24 5 жыл бұрын
password is hashed and salt is random for each password in the database, but pepper is only known by the server, a secret not stored in the database.
@aashishkumarrai 2 жыл бұрын
Garlic & Napkin is the best!
@pastuh 4 жыл бұрын
Now i think... what if i just invert user letters? Normal letters to caps-lock and reverse ?
@dmytroshchotkin2939 4 жыл бұрын
I've never heard of pepper, it makes sense though
@onosekewenu Жыл бұрын
Garlic = SMS text-message two-factor authentication (2FA) Napkin = voice-based 2FA
@mhmdtolba7625 4 жыл бұрын
How i know hash without i know password?
@Anonymous-ed4id 4 жыл бұрын
Who the hell thumbed down on the video?!
@bigdaddygfunk 4 жыл бұрын
Wouldn't you know it, Trump used the word "salt" as his salt for Twitter
@jimmatrix7244 5 жыл бұрын
Is salt and pepper known as obfuscation?
@sunnyclassroom24 5 жыл бұрын
I think you are correct, in essence.
@alejandroalzatesanchez Жыл бұрын
kind of spicy though
@danteeep 5 жыл бұрын
nice thx but pepper is not explained well
@sayslah 3 жыл бұрын
Trump!
Mental Outlaw
Рет қаралды 47 М.