Menu
I've been doing a lot of research to determine best practices for storing passwords for a system I'm currently developing. So far, I've decided that I'm going to be using a SHA512 hash with an RNG to generate a salt for each password (obviously best practice against Rainbow Tables etc).
Would storing the passwords in two separate fields in the table be too simplistic to determine the password representation in the database (there's a PasswordHash field and a PasswordSalt field)? It may seem like security through obscurity, but I was thinking of storing the salt and the password hash together in one field concatenated together.
Would this "help" at all?
487
The easiest way is to put the salt in front of the password and hash the combined text string. The salt is not an encryption key, so it can be stored in the password database along with the username – it serves merely to prevent two users with the same password getting the same hash.
To stop them from precomputing hashes, the salt should be stored in the database, so they can't get it before getting the hashes themselves, which means they need a lot of time to break the hashes after they compromise the database, which gives you a chance to change passwords before they get access.
Pure salt (pure sodium and chloride) never goes bad. As it does not contain any additives, it will preserve its flavor and potency in time. Salt is a natural preservative. If stored correctly (in dry and cool conditions), it can have an infinite shelf life.
That section is a "SHOULD" not a "SHALL". It is standard practice not to keep the salt secret but to save it with the password hashed verifier. If the salt is not secret a brute force search is possible if the password is weak such as being on a list of frequent passwords.
It doesn't really matter much. The salt doesn't give away any secrets, in fact, it helps keeping secrets. If you want to impress your database designer friends, keep it in a field of its own. If you want to impress your optimizing friends, keep it with the hash. It's a matter of style, really.
Regarding the salt; you might want to make it long enough to prevent against rainbow table attacks: http://en.wikipedia.org/wiki/Rainbow_table#Defense_against_rainbow_tables
109
Store it seperately.
Remember what you are protecting against: The scenario is someone gets a copy of your database and therefore can execute a rainbow-table lookup against the fields, if not salted.
It really doesn't matter if the attacker knows the salt; it's just to stop him from using pre-generated rainbow tables.
36
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
