Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Storing salt in code instead of database

There have been a couple of great discussions regarding salt best practices, and it seems the overwhelming recommendation is to generate a different salt for each password and store it alongside the password in the database.

However, if I understand the purpose of salt correctly, it is to reduce the chance that you will be compromised by rainbow table attacks. So, I understand that by storing it in the database it would be optimal to change it for each user, but what if the salt is nowhere near the database? If I store a single salt value in the code (which would on the web server be in a compiled dll), wouldn't that serve the same purpose if an attacker were to somehow gain access to the database? It would seem to me to be more secure.

like image 643
ern Avatar asked May 18 '09 16:05

ern


People also ask

Do you need to store salt in database?

Often, they are prepended to the hash and stored in the same field. There is no need to store them separately - the point is to use a random salt for each password so that a single rainbow table can't be used against your entire set of password hashes.

Where should password salts be stored?

The easiest way is to put the salt in front of the password and hash the combined text string. The salt is not an encryption key, so it can be stored in the password database along with the username – it serves merely to prevent two users with the same password getting the same hash.

Why is a salt added to a password that is being stored in a database?

A cryptographic salt is made up of random bits added to each password instance before its hashing. Salts create unique passwords even in the instance of two users choosing the same passwords. Salts help us mitigate hash table attacks by forcing attackers to re-compute them using the salts for each user.

Where do we store salt?

Salt should be stored in an airtight container in a cool, dry, dark location. Salt can be purchased in bulk and repackaged for long term storage in smaller containers. Oxygen absorbers are not recommended when packaging salt for long term storage.


3 Answers

The value of a salt lies in it being different for each user. You also need to be able to retrieve this non-unique value when you're re-creating the hashed value for comparison purposes.

If you store a single salt value that you use for every password, then you massively reduce the value of having a salt in the first place.

like image 106
Glen Avatar answered Nov 03 '22 13:11

Glen


The purpose of a salt is to require the regeneration of a rainbow table per password. If you use a single salt, the hacker/cracker only has to regenerate the rainbow table once and he has all your passwords. But if you generate a random one per user, he has to generate one per user. Much more expensive on the hackers part. This is why you can store a salt in plain text, it doesn't matter if the hacker knows it as long as there's more than one.

Security by obscurity is not good, microsoft has taught us that.

like image 21
Malfist Avatar answered Nov 03 '22 13:11

Malfist


... until the attacker gains access to the DLL.

like image 39
pjc50 Avatar answered Nov 03 '22 12:11

pjc50