Menu
There have been a couple of great discussions regarding salt best practices, and it seems the overwhelming recommendation is to generate a different salt for each password and store it alongside the password in the database.
However, if I understand the purpose of salt correctly, it is to reduce the chance that you will be compromised by rainbow table attacks. So, I understand that by storing it in the database it would be optimal to change it for each user, but what if the salt is nowhere near the database? If I store a single salt value in the code (which would on the web server be in a compiled dll), wouldn't that serve the same purpose if an attacker were to somehow gain access to the database? It would seem to me to be more secure.
643
Often, they are prepended to the hash and stored in the same field. There is no need to store them separately - the point is to use a random salt for each password so that a single rainbow table can't be used against your entire set of password hashes.
The easiest way is to put the salt in front of the password and hash the combined text string. The salt is not an encryption key, so it can be stored in the password database along with the username – it serves merely to prevent two users with the same password getting the same hash.
A cryptographic salt is made up of random bits added to each password instance before its hashing. Salts create unique passwords even in the instance of two users choosing the same passwords. Salts help us mitigate hash table attacks by forcing attackers to re-compute them using the salts for each user.
Salt should be stored in an airtight container in a cool, dry, dark location. Salt can be purchased in bulk and repackaged for long term storage in smaller containers. Oxygen absorbers are not recommended when packaging salt for long term storage.
The value of a salt lies in it being different for each user. You also need to be able to retrieve this non-unique value when you're re-creating the hashed value for comparison purposes.
If you store a single salt value that you use for every password, then you massively reduce the value of having a salt in the first place.
106
The purpose of a salt is to require the regeneration of a rainbow table per password. If you use a single salt, the hacker/cracker only has to regenerate the rainbow table once and he has all your passwords. But if you generate a random one per user, he has to generate one per user. Much more expensive on the hackers part. This is why you can store a salt in plain text, it doesn't matter if the hacker knows it as long as there's more than one.
Security by obscurity is not good, microsoft has taught us that.
21
... until the attacker gains access to the DLL.
39
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
