Luke I. wrote:
self.password_hash = encrypted_pw
endOkay, this has prompted me to ask another question: in all of these, it
generates a new salt every time it generates a new password… is there
a particular reason for this? I understand it would be slightly more
secure… but it seems to me the added security of changing the salt
every time the password changes is basically neglible… if someone has
cracked the original salt, they’ve probably already hijacked the account
and changed the password themselves.
Don’t do that. The salt is there for a reason - it makes creating
comprehensive lookup tables that much harder. If you hardcode the salt,
you make it that much easier for someone to generate a lookup table that
covers all of your passwords. You don’t “crack the salt” - the salt
adds complexity to the password.
Salt (cryptography) - Wikipedia explains it well.