Password Encryption
94 views
Skip to first unread message
fer...@gmail.com
Jul 27, 2015, 7:13:40 AM7/27/15
to Canvas LMS Users
Hi!
I am trying to understand how the encrypted password works. I have seen that the password is stored on the database field "pseudonyms.crypted_password". Doing some research on the code I found out that the encryption is on SHA512 so crypted_password should be like:
But when I test it myself encrypting with SHA512 my password and the salt of that user (that I get from the same pseudonym table) I don't get the same encrypted password I see on the database.
I am trying to understand how the encrypted password works. I have seen that the password is stored on the database field "pseudonyms.crypted_password". Doing some research on the code I found out that the encryption is on SHA512 so crypted_password should be like:
crypted_password = SHA512("plain_password"+password_salt)But when I test it myself encrypting with SHA512 my password and the salt of that user (that I get from the same pseudonym table) I don't get the same encrypted password I see on the database.
So how is the password actually encrypted?
Thank you!
Thank you!
Cody Cutrer
Jul 27, 2015, 10:54:12 AM7/27/15
to canvas-l...@googlegroups.com
The password is hashed 20 times: https://github.com/binarylogic/authlogic/blob/master/lib/authlogic/crypto_providers/sha512.rb
Also note that the salt comes _after_ the password: https://github.com/binarylogic/authlogic/blob/master/lib/authlogic/acts_as_authentic/password.rb#L301
Cody Cutrer
Software Engineer
Instructure
--
---
You received this message because you are subscribed to the Google Groups "Canvas LMS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to canvas-lms-use...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
fer...@gmail.com
Jul 27, 2015, 11:27:51 AM7/27/15
to Canvas LMS Users, co...@instructure.com
Hi
I didn't understand what you mean with
I didn't understand what you mean with
Also note that the salt comes _after_ the password: https://github.com/binarylogic/authlogic/blob/master/lib/authlogic/acts_as_authentic/password.rb#L301
In that code line I see that the array is raw_password and salt, so crypted password should be something like this:
crypted_password = 20.times {SHA512("plain_password"+password_salt)}No?
Thank you!
Cody Cutrer
Jul 27, 2015, 12:13:35 PM7/27/15
to fer...@gmail.com, Canvas LMS Users
I think you understand, but your pseudo-ruby-code is not quite correct:
```
crypted = "plain password" + salt20.times { crypted = SHA512(crypted) }
```
Cody Cutrer
Software Engineer
Instructure
fer...@gmail.com
Jul 28, 2015, 9:30:34 AM7/28/15
to Canvas LMS Users, co...@instructure.com
I got it now, thank you so much Cody!
acplace...@gmail.com
Aug 4, 2017, 6:29:22 PM8/4/17
to Canvas LMS Users, co...@instructure.com
Can you please explain it more detail? What does it mean 20 times?
ralph.otowo
Aug 5, 2017, 3:05:32 AM8/5/17
to canvas-l...@googlegroups.com, co...@instructure.com
Sent from my Samsung Galaxy smartphone. P,
Cody Cutrer
Aug 9, 2017, 11:29:34 AM8/9/17
to acplace...@gmail.com, Canvas LMS Users
It means that the password (plus salt) is hashed. Then that hash is hashed. Then _that_ hash is hashed. 20 times.
Cody Cutrer
Software Engineer
Instructure
Reply all
Reply to author
Forward
0 new messages