Thanks Sunny. Your videos are nicely put together. Pretty good material, delivery is clear and concise using nice animations, length is appropriate = Excellent job!!
Sunny, I am taking a course to become an IT support specialist. After I take my lessons, I always come to your channel to actually understand my teachers. hahaha. Thanks so much, you are the best!
Where have you been or where I have been not able to find you.....................Your explanations are AMAZING.. Simple to understand. Critical for exams like CISSP where you are drilled on the concept !! Thanks for doing these
1. Who generates the 'salt'? The user or some system? 2. When the user enters their password to authenticate, which system is aware of the salt to add it to the password that the user entered to run it through the hash algorithm? 3. I am assuming that since the salt is stored in the same DB as the user details, would a compromise of the DB mean that the user account (provided the attacker already knows the user password) is now compromised? 4. Is there a reason why the salt is stored in the same DB? Stumbled upon this channel, ended up subscribing in the first minute :)
Very good explanation! So if I understood correctly, I can do this: Assign my users randomly generated passwords, don't use a salt, but should use a pepper to hash these passwords in my backend, so that insiders (to my db) cannot simply read the passwords there, correct?
Pepper is site-wide secret. for example, the programmer adds "sunny" to everyone's password. When Tom signs up for the first time, he chooses "abc123" as his password, as he submit his signup to the database, his password is abc123sunny.
Like a salt, pepper is a random value. But it is different from salt, because salt is unique value for each user, and pepper is for everyone in the database. In other words, a pepper is a site-wide static value. Pepper is not stored in the database. It is a secret. for example, pepper is abcde password: sunny salt is: 12345 then my new password with salt and pepper would be a hash of "sunny12345abcde". the purpose is to make password more random.
@@sunnyclassroom24 so how about if someone type sunny as password he wouldn't get the user ?? Because the salt and paper will added automatically in the password
Amazing content. Explained so well I would recommend this course to Einstein :) Thank you so much. This was so useful. Subscribed already and liked all the videos on this playlist.
Is it okay to store the user salts along with the user details in the database. and should we encrypt user email id too or only the password? I'm using AES to encrypt the user credentials
sir you are saying that hash Algo is not reversible but in other video using crackstation u had get the pasword from multiple digest if it is not reversible then how this happen please reply.
Great question. The method is like this. The crackstation or hackers generate millions of digests/hashes and then match your hash, once they are the same, they know the original text. You can check my video called "dictionary attack or brute force attack", and you will find hackers use this method to hack our hashed passwords. thanks you for your great question.
@@sunnyclassroom24 Sunny Classroom i have major queries that is, 1. If attacker had salter hashing database so he can do brute force attack and he can authenticated right ? 2.pepper if not stored in database than where it is stored ? 3. Salt and pepper=new hash value ? 4. pepper=new hash value ? 5. Some hackers hash value converts into plaintext is it possible ? 6. What is pre calculated hashs in rainbow table ? Because these question from my one interviewer asked me that's why asking you dear. Please give me reply.
@@rk.x01 1. yes. 2. Only wed developer/owner knows the pepper 3. password + salt+pepper =hash value 4. pepper is not hash value. salt is not hash value either 5. the hash value is not reversible but they can check against the candidate table. 6. pre-generated candidate hash table; Please check my three videos: hash function, dictionary attack and brute force attack videos you would understand how hash function work.
Really great content! But Ihave yet some open questions.. 1) Is it always password+salt+pepper (+ meaning concat of these values)? Or is the order implementation specific? 2) What are decent ways to figure out salt & pepper once you have access to the database? To me the most convenient way seems to be: create a new user with a simple password and try to crack the resulting hash that will be put into the database. Also, does the Pepper change? I think it would be really strong if we would choose different pepper according to the timestamp for example? Greetings, really enjoy your content! Hope you don't mind the questions.
If each password is randomized by the user. The salts and peppers are extra. The problem is too many users. Use the same password on every damned thing. With all the open source, free, and paid options for password database. It is just pointless.
Your videos are much informative and has got excellent content. Thanks ! I got a ques here. To avoid hacks, you had mentioned that hash is done on the whole set of (user pwd +salt+pepper), and hence the digest is created on a much complex data, which would be difficult to retrieve from lookups. May I know how would the same user be authenticated when next time he logs in..? Would the salt and pepper be stored along with the user identity?
Good questions. 1) The more elements added, the more difficult to hack. 2) each user has a salt of his own 3) every user shares a pepper (secret only known but the system developer) 4) The same user still use his normal password in clear text, but it is hashed, then salted, and then pepper is added, then compare the result to the stored digest, if matched, the user is authenticated. The whole process is only used to hide the real plain text password.
the user only login with his password. Salt is saved in his database and pepper is site-wide secret shared with all users in the database. To a user, all he knows is his password.
With salting of passwords, wouldn’t there have to be a database that has the salt stored so when you sign in, it’ll will have to match it up to your inputed password and then hash it to compare it with that saved digest? If the salt is random, how does it know what salt to add every time you sign in?
Nice explanation. i have one query. Salt+hash+pepper=total hash value stored in somewhere ? Salt+hash=salter value stored in database ? and (salter hash+pepper) =final hash value stored somewhere after three hashed ? Please reply me.
salt +hash + pepper = total hash will not be stored anywhere. It is only in the process of login. Thus man-in-the the middle attack will be avoided. Storage in any database would compromise the technologies.
@@sunnyclassroom24 okay. I mean after hashing salt+password+pepper this hash value stored in some secret place or database ? Because in salter hashing case salt+password value stored in database only right ? I think now you understand my question.
@sunny Classroom 1. so when user1 choose "password123" the server will (password123 +salt(unique value per user) +pepper (same value for all) ) >> Hashing and save the hash ??? 2. the salt is saved in the DataBase, but the pepper isn't saved anywhere "hard coded" , and known for the server code only Am i right ? >>>> Ps 2:45 4:47 user name header should be changed to user password ?? Great Job sunny .. Miss new videos
I thought one was stored in the database & one was stored on the local machine? Doesn't storing All three, ie Salt/Password/Pepper in the database kind'ov defeat the object of having them
yes, but it doesn't matter, since salt is not used to make a password more secret, it's used in order to not have a lot of identical passwords in a database, because in that case the attacker would find the most widely used password and try to crack it. if you salt your passwords, there will be no identical hashes, therefore a hacker would not know which passwords are actually identical also salt helps with eliminating rainbow table attacks, since the attacker would need to generate a rainbow table for each salt, and it would take ages. pepper, on the other hand, is not stored in a database, it's simply appended as a constant in the hashing function on your backend. thus, if only the database is leaked and the server sources stay intact, the passwords are basically uncrackable. the attacker would need to brute force the pepper, and if the pepper is long enough, it would not be feasible.
Sunny, I hope you read this. You are amazing, the detail and explanation are to the point and very clear. Kudos man !! However, there is one thing, in my opinion of course, which can be improved and that is - that terrible music. It's just a recommendation - please change it. Love your work. Thank you !!
Yes, thanks a lot for your suggestion. The latest videos (last 50 videos) I try to cut the music or lower the volume. Thanks a lot for your advice. You are very welcome to point that out.
Unfortunately you don't explain how the receiving server can validate a correct password if it is salted.. If it is random every time, how would the receiver know?
This channel is pure gold. Clear and concise information.
Thank you for the great lessons.
I need like each video to no see them two times...
garlic and napkin , that was funny at the end !
I wish that you never quit providing this high-quality material. This channel is really underrated.
Thanks Sunny. Your videos are nicely put together. Pretty good material, delivery is clear and concise using nice animations, length is appropriate = Excellent job!!
So nice of you
I never comment on youtube, but you deserve it. It's amaznig, a very good explanation and really easy to understand.
Thank you very much! I appreciate .
Sunny you have the best explanations for topics on the internet
Sunny, I am taking a course to become an IT support specialist. After I take my lessons, I always come to your channel to actually understand my teachers. hahaha. Thanks so much, you are the best!
You rock!
Clear illustrations and examples are given. Really a good video for new learners to know more about salted hash and peppered hash. Thanks!
Monnsierur, that is a great channel! Clean, conscise - short but full of content. Great job - many thanks!
Thanks for the graphical explanation. This makes so much more sense.
I think it was a perfect representation and explanation about hash, salt, and pepper. Thanx a lot.
WOW! came to learn real quick what salting is... stayed for the animations 😎
You are the best with this method of explanation :)
Amazing lessons. Thank you so much Sunny.
You are welcome ! I appreciate .
Loved the salt and mixer animation :D too good.. One of the best explanations. Binge watching all ur videos
Thank you so much 😀
Very concise explanations!
These are great videos! Very simple to understand...
Many thanks for your nice comment.
LOL! Tomorrow we might need garlic and napkin :D
A very good,very clear explanation.Thank you very much
Thank you sir. God bless you.👍😊👏👏
Visual explanation . Superb
Great work 👍
Thank you!
Fei chang hao! Xie xie ni, Sunny! Thank You! : ) ❤
Thanks man . Helped a lot with the playlist ! :)
Glad it helped!
Where have you been or where I have been not able to find you.....................Your explanations are AMAZING.. Simple to understand. Critical for exams like CISSP where you are drilled on the concept !! Thanks for doing these
Wow, thank you!
Amazing Sunny!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Good job Mr!
You are awesome , all videos are good and well explained
Many thanks for your kind words.
Great class! loved it!
Thanks a lot great explanation 😀😀🎉
Thanks for the video!
1. Who generates the 'salt'? The user or some system?
2. When the user enters their password to authenticate, which system is aware of the salt to add it to the password that the user entered to run it through the hash algorithm?
3. I am assuming that since the salt is stored in the same DB as the user details, would a compromise of the DB mean that the user account (provided the attacker already knows the user password) is now compromised?
4. Is there a reason why the salt is stored in the same DB?
Stumbled upon this channel, ended up subscribing in the first minute :)
I am having the same doubt after listening to the video
Very good explanation! So if I understood correctly, I can do this: Assign my users randomly generated passwords, don't use a salt, but should use a pepper to hash these passwords in my backend, so that insiders (to my db) cannot simply read the passwords there, correct?
Hi, Today's topic is Salt & Pepper.
Would i like some Salt & Pepper on my Omelette? I don't know, but, passwords can surely use it!
Greatly done Sunny...!
🥇🎖🏅
Another satisfying video! :)
It is extremely simple to understand
Nice video. Good explanation of Salt/Pepper. Think next will be Ketchup and Mustard.
Thank you very much for your comment. I will watch if new technologies are coming out :)
I will save your chanel in my favorits
Thank you soooooooo much. Could you please explain more about how putting pepper to a password
Pepper is site-wide secret. for example, the programmer adds "sunny" to everyone's password. When Tom signs up for the first time, he chooses "abc123" as his password, as he submit his signup to the database, his password is abc123sunny.
Like a salt, pepper is a random value. But it is different from salt, because salt is unique value for each user, and pepper is for everyone in the database. In other words, a pepper is a site-wide static value. Pepper is not stored in the database. It is a secret.
for example, pepper is abcde
password: sunny
salt is: 12345
then my new password with salt and pepper would be a hash of "sunny12345abcde". the purpose is to make password more random.
@@sunnyclassroom24 ok then don't store the salt in the database from the beginning and make it site-wide static then no need to pepper, why not ?
@@sunnyclassroom24 so how about if someone type sunny as password he wouldn't get the user ?? Because the salt and paper will added automatically in the password
wow, I love you teaching. Thanks
Amazing content. Explained so well I would recommend this course to Einstein :) Thank you so much. This was so useful. Subscribed already and liked all the videos on this playlist.
:) :) nice one Sunny!!
Thanks! 😊
Thank you Sunny !
Is it okay to store the user salts along with the user details in the database.
and should we encrypt user email id too or only the password?
I'm using AES to encrypt the user credentials
Great Explanation!
Many thanks for your kind words!
Thank you. Nicely done explanation.
sir you are saying that hash Algo is not reversible but in other video using crackstation u had get the pasword from multiple digest if it is not reversible then how this happen please reply.
Great question. The method is like this. The crackstation or hackers generate millions of digests/hashes and then match your hash, once they are the same, they know the original text. You can check my video called "dictionary attack or brute force attack", and you will find hackers use this method to hack our hashed passwords. thanks you for your great question.
Thank you so much!!🌈
Nice explaination dear.
Thanks a lot RK.
@@sunnyclassroom24 Sunny Classroom i have major queries that is,
1. If attacker had salter hashing database so he can do brute force attack and he can authenticated right ?
2.pepper if not stored in database than where it is stored ?
3. Salt and pepper=new hash value ?
4. pepper=new hash value ?
5. Some hackers hash value converts into plaintext is it possible ?
6. What is pre calculated hashs in rainbow table ?
Because these question from my one interviewer asked me that's why asking you dear.
Please give me reply.
@@rk.x01 1. yes. 2. Only wed developer/owner knows the pepper 3. password + salt+pepper =hash value 4. pepper is not hash value. salt is not hash value either 5. the hash value is not reversible but they can check against the candidate table. 6. pre-generated candidate hash table; Please check my three videos: hash function, dictionary attack and brute force attack videos you would understand how hash function work.
@@sunnyclassroom24 thank you.
@@rk.x01 You are welcome!
where did you get a salt? that consist of e54f2? thanks
a random value for each user
Really great content! But Ihave yet some open questions..
1) Is it always password+salt+pepper (+ meaning concat of these values)? Or is the order implementation specific?
2) What are decent ways to figure out salt & pepper once you have access to the database?
To me the most convenient way seems to be: create a new user with a simple password and try to crack the resulting hash that will be put into the database.
Also, does the Pepper change? I think it would be really strong if we would choose different pepper according to the timestamp for example?
Greetings, really enjoy your content! Hope you don't mind the questions.
If each password is randomized by the user. The salts and peppers are extra.
The problem is too many users. Use the same password on every damned thing.
With all the open source, free, and paid options for password database. It is just pointless.
Your videos are much informative and has got excellent content. Thanks !
I got a ques here. To avoid hacks, you had mentioned that hash is done on the whole set of (user pwd +salt+pepper), and hence the digest is created on a much complex data, which would be difficult to retrieve from lookups.
May I know how would the same user be authenticated when next time he logs in..? Would the salt and pepper be stored along with the user identity?
Good questions.
1) The more elements added, the more difficult to hack.
2) each user has a salt of his own
3) every user shares a pepper (secret only known but the system developer)
4) The same user still use his normal password in clear text, but it is hashed, then salted, and then pepper is added, then compare the result to the stored digest, if matched, the user is authenticated. The whole process is only used to hide the real plain text password.
Thanks for the clarification Sunny :)
@Sainath Sk the password remains the same as long as the user does not update her/his password.
the user only login with his password. Salt is saved in his database and pepper is site-wide secret shared with all users in the database. To a user, all he knows is his password.
thank you sir for the explanation
With salting of passwords, wouldn’t there have to be a database that has the salt stored so when you sign in, it’ll will have to match it up to your inputed password and then hash it to compare it with that saved digest? If the salt is random, how does it know what salt to add every time you sign in?
Thank you so much for this =]
Nice explanation.
i have one query.
Salt+hash+pepper=total hash value stored in somewhere ?
Salt+hash=salter value stored in database ? and (salter hash+pepper) =final hash value stored somewhere after three hashed ?
Please reply me.
salt +hash + pepper = total hash will not be stored anywhere. It is only in the process of login. Thus man-in-the the middle attack will be avoided. Storage in any database would compromise the technologies.
@@sunnyclassroom24 okay. I mean after hashing salt+password+pepper this hash value stored in some secret place or database ?
Because in salter hashing case salt+password value stored in database only right ?
I think now you understand my question.
@@pt9606 Yes, they should be stored in the database with their user name.
This is a great explanation, but what, when or how does the salting take place?
😂😂 future will be onion, tomato,rice also.. you're video explanation very very good
Thanks god. you exist in the world !!
@sunny Classroom
1. so when user1 choose "password123" the server will
(password123 +salt(unique value per user) +pepper (same value for all) ) >> Hashing and save the hash ???
2. the salt is saved in the DataBase, but the pepper isn't saved anywhere "hard coded" , and known for the server code only
Am i right ?
>>>>
Ps
2:45
4:47
user name header should be changed to user password ??
Great Job sunny .. Miss new videos
Are Salts stored on the local machine? As there not stored in the database??
they are stored in the database of the server side.
I thought one was stored in the database & one was stored on the local machine? Doesn't storing All three, ie Salt/Password/Pepper in the database kind'ov defeat the object of having them
If a hacker compromises the database then they'd have all three parts
passwords and salts are compromised but not pepper, which is site-wide random value.
password is hashed and salt is random for each password in the database, but pepper is only known by the server, a secret not stored in the database.
I loved this video
You are awesome! thanks sir.....
is the salt supposed to be stored in the database for each user? Is salt something that a hacker would see?
yes, but it doesn't matter, since salt is not used to make a password more secret, it's used in order to not have a lot of identical passwords in a database, because in that case the attacker would find the most widely used password and try to crack it. if you salt your passwords, there will be no identical hashes, therefore a hacker would not know which passwords are actually identical
also salt helps with eliminating rainbow table attacks, since the attacker would need to generate a rainbow table for each salt, and it would take ages.
pepper, on the other hand, is not stored in a database, it's simply appended as a constant in the hashing function on your backend. thus, if only the database is leaked and the server sources stay intact, the passwords are basically uncrackable. the attacker would need to brute force the pepper, and if the pepper is long enough, it would not be feasible.
Please can you provide an example in java for salt & pepper implementation
Superb
Thank you for the digestible and tasteful explanation, could have used a bit less salt in the end ;)
Sunny, I hope you read this.
You are amazing, the detail and explanation are to the point and very clear.
Kudos man !!
However, there is one thing, in my opinion of course, which can be improved and that is - that terrible music. It's just a recommendation - please change it.
Love your work.
Thank you !!
Yes, thanks a lot for your suggestion. The latest videos (last 50 videos) I try to cut the music or lower the volume. Thanks a lot for your advice. You are very welcome to point that out.
You are awesome!
Garlic = SMS text-message two-factor authentication (2FA)
Napkin = voice-based 2FA
AWESOME !
Great video thanks, the effects are a bit loud tho
Thanks a lot for your advice. I have lowered the volume for most recent videos.
Unfortunately you don't explain how the receiving server can validate a correct password if it is salted.. If it is random every time, how would the receiver know?
Thanks!!!
Now i think... what if i just invert user letters? Normal letters to caps-lock and reverse ?
Garlic & Napkin is the best!
thank you, Garlic and napkin :)
Most welcome 😊
I keep coming back for the jokes
You sound like Jian-Yang. Love the video tho!
LOL, true.
Who the hell thumbed down on the video?!
I've never heard of pepper, it makes sense though
How i know hash without i know password?
Wouldn't you know it, Trump used the word "salt" as his salt for Twitter
Is salt and pepper known as obfuscation?
I think you are correct, in essence.
nice thx but pepper is not explained well
kind of spicy though
Trump!