#1
  1. Put a potato on it!
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2008
    Location
    Maryland
    Posts
    304
    Rep Power
    971

    Best practice with storing a salt


    I'm building a project for work that has a login mechanism. I'd like to follow good practices as much as possible so I'll be using a per-user salt and hashing it with sha256 at the least. My question is on storing those salts. The easiest would be to store it in our database. At first my concern was that if someone got access to the database they would have access to the salts, but then again, they'd have access to everything else as well in that database. So I guess my question would be, is this a legitimately secure way to store these salts? It's not an overly complex application, it stores pretty basic info, first and last name, email address, maybe street address, no cc information, but I would like to be security-minded and be able to protect our users, just not sure of how far I should go.

    Any advice would be great.
    "Those who can make you believe absurdities can make you commit atrocities."
  2. #2
  3. Lord of the Dance
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Oct 2003
    Posts
    3,644
    Rep Power
    1945
    As you said, there is a lot more sensitive information than the password.

    From my knowledge, one of the reason to use a salt is to prevent rainbow scan on the hashes and thereby get the clean-text password.

    An expert will have to fill in the rest.
  4. #3
  5. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,317
    Rep Power
    7170
    Salts are normally stored "next" to the passwords. They still serve their purpose even if they are known to the attacker.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    8
    Rep Power
    0
    Originally Posted by E-Oreo
    Salts are normally stored "next" to the passwords. They still serve their purpose even if they are known to the attacker.
    I agree, most encryption tutorials don't attempt to "hide" the salt in any way so it's safe to store next to passwords

IMN logo majestic logo threadwatch logo seochat tools logo