August 28th, 2012, 11:00 AM
Best practice with storing a salt
I'm building a project for work that has a login mechanism. I'd like to follow good practices as much as possible so I'll be using a per-user salt and hashing it with sha256 at the least. My question is on storing those salts. The easiest would be to store it in our database. At first my concern was that if someone got access to the database they would have access to the salts, but then again, they'd have access to everything else as well in that database. So I guess my question would be, is this a legitimately secure way to store these salts? It's not an overly complex application, it stores pretty basic info, first and last name, email address, maybe street address, no cc information, but I would like to be security-minded and be able to protect our users, just not sure of how far I should go.
Any advice would be great.
"Those who can make you believe absurdities can make you commit atrocities."
August 28th, 2012, 05:04 PM
As you said, there is a lot more sensitive information than the password.
From my knowledge, one of the reason to use a salt is to prevent rainbow scan on the hashes and thereby get the clean-text password.
An expert will have to fill in the rest.
August 28th, 2012, 11:33 PM
Salts are normally stored "next" to the passwords. They still serve their purpose even if they are known to the attacker.
November 2nd, 2012, 07:40 PM
I agree, most encryption tutorials don't attempt to "hide" the salt in any way so it's safe to store next to passwords
Originally Posted by E-Oreo