Is there a way to export the salt for a user password?

I am looking to get the salt value for a user password.

I have read how DS stores password values

Specifically, I am interested in

Name |Applicable versions | Salt size (bytes) | Key size (bits) | Format
PBKDF2-HMAC-SHA256 | DS 7 and later | 16 | “{PBKDF2-HMAC-SHA256}” <iterations> “:” base64(<digest> <salt>)

I also see the code to get the hash length and salt length here:

I tried to update the code to get the salt value from the following but cannot seem to get it. (This is test data, not concerned about posting here.)

var original = “{PBKDF2-HMAC-SHA256}10:8c7nLGEIXeZf45YQ92A2MD+v8olvKKl6iWXGQZoluJ/awqZnHwFvslIOx7xOZ9AV”

Shouldn’t I be able to get the salt from this string?

Solved it.

import java.util.Arrays;
import java.util.Base64;

class PBKDF2HashExtractor
    static final int SHA_ALGORITHM_SIZE = 32; // Number of bytes returned from a SHA-1 hash
    static final String PREFIX = "{PBKDF2-HMAC-SHA256}10:"; // PBKDF2 prefix

    public static void main(String[] args)

        //example hash
        var original = "{PBKDF2-HMAC-SHA256}10:09WsfABUXWTsm6WVP1T//rdhSUPA0FwkQoZSSqBeojoxdKon88VAnzjlCFDkXQun";

        var base64 = original.substring(PREFIX.length());
        var bytes = Base64.getDecoder().decode(base64);

        //split the hash into pw hash and salt
        var hashBytes = Arrays.copyOfRange(bytes, 0, SHA_ALGORITHM_SIZE);
        var saltBytes = Arrays.copyOfRange(bytes, SHA_ALGORITHM_SIZE, bytes.length);

        //encode pw hash
        String hashEncode = Base64.getEncoder().encodeToString(hashBytes);
        System.out.println("Endoded Password Hash = " + hashEncode);

        //encode salt
        String saltEncode = Base64.getEncoder().encodeToString(saltBytes);
        System.out.println("Endoded Salt = " + saltEncode);

        System.out.println("Hash length = " + hashBytes.length);
        System.out.println("Salt length = " + saltBytes.length);



Endoded Password Hash = 09WsfABUXWTsm6WVP1T//rdhSUPA0FwkQoZSSqBeojo=
Endoded Salt = MXSqJ/PFQJ845QhQ5F0Lpw==
Hash length = 32
Salt length = 16


Hi Markr, great job! The steps you worked out for extracting the salt value from the encoded hash are immensely valuable to our community. Thank you for sharing this information with the collective! :+1:

1 Like