How can salted passwords work if you don't "keep the salts in the system"?



  • In this report on the recent ParkMobile breach, the article has this comment from the company:

    “You are correct that bcrypt hashed and salted passwords were obtained,” Perkins said when asked about the screenshot in the database sales thread. “Note, we do not keep the salt values in our system,” he said.

    If the salts are not "in the system", how could a system match a user-entered password to their salted hashes?



  • In this report on the recent ParkMobile breach, the article has this comment from the company: “You are correct that bcrypt hashed and salted passwords were obtained... Note, we do not keep the salt values in our system...”

    The article states that "spokesman" Jeff Perkins made this comment.

    Per ParkMobile's website, Mr. Perkins's title is "Chief Marketing and Product Officer."

    With all due respect to the marketing folks, Mr. Perkin's may not be completely up to speed on all the technical details of ParkMobile's password hashing, and may not be speaking with perfect precision. Therefore, one answer to your question might simply be that his statement is not technically correct.

    If the salts are not "in the system", how could a system match a user-entered password to their salted hashes?

    This is a reasonable question to ask, since typically one stores the salts along with the hashes for bcrypt. That is, typically, the format of the stored bcrypt output is:

    $2b$[cost]$[22 character salt][31 character hash]
    

    Therefore, typically, the salt would be stored in the same database as the hash.

    Without seeing the actual data from the data breach it is hard to say for sure what is going on here.

    One answer is just that Mr. Perkins is wrong. However, there are certainly other possibilities, such as:

    • By "salt" he actually means "pepper."
    • They separate the bcrypt outputs (for example at the "$" characters) and actually do store the hash in a different database than the salt. In this case they still need to store the salt, and maybe the "system" in the quote is the hash database rather than the salt database. Note that this possibility is complete speculation (and atypical bcrypt usage).


Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2