Don't use a 'hard coded' salt for password hash
pythoneer opened this issue · comments
I have looked through the code and found that it is using a hard coded salt for the password hash loginsalt
.
https://github.com/svenstaro/rust-web-boilerplate/blob/master/src/models/user.rs#L42
https://github.com/svenstaro/rust-web-boilerplate/blob/master/src/models/user.rs#L47
You should consider to use a random value here and also save it alongside your password hash inside the database. Much in the same way the bcrypt-rs crate is doing it https://github.com/Keats/rust-bcrypt/blob/master/src/lib.rs#L115
either by concatenate both and splitting them .. or just save them in separate columns inside the database.