OK, I am using Java with Spring MVC and Hibernate. I am using bCrypt for password encryption for the first time. I understand doing in that bCrypt integrates the salt with the hash. I have it set up currently so that the password is accepted as an input, is encoded with bCrypt, and is saved is one column of my SQL database.
However, I would like to separate the salt from the hash and put store them separately. I have read, and tried many things, but cannot find a way to do this. So if anyone can point me in the correct direction that would be a great assistance.
This is what I have at present.
This is the basic code to setup bCrypt. It takes my password string, and encrypts it.
BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
String hashedPassword = passwordEncoder.encode(password);
The below code takes the password and puts it into a single column in the DB.
Best How To :
What you're asking to do isn't a good idea, or even feasible, for a couple of key reasons.
Hashing is a one-way process. Once the hash with a salt is computed, it would be* computationally expensive such that it is infeasible to get back the original salt.
Separating the salt from the hash and storing them in the same location is fundamentally insecure. The most ideal scenario is that a salt is truly random, and appended to the password when it's time to actually hash it.
That is, we describe a password P, a hash function h(x), and a salt operation S() which generates random values in the form:
P = h(x, S())
In the worst case scenario, someone that compromises your database or backing store will not only have access to the hashed password, they'll have access to the salt that contributed to that specific password right next to it, which is a big mistake.
*: Hopefully if you generated your salt in a truly random way, it would be computationally expensive. That's the point, after all.