The salt should be created for each password and not static for all
passwords, otherwise the value of the salt in protecting against
attacks using rainbow tables is almost useless. Usually the salt is
stored appended to the hash, alternatively you can store it in
another column.
Usually your login code will look like:
select username, password_hash from usertable where userid =
'some_user_id';
salt = substring(password_hash, 0, 2);
hashed_password = substring(password_hash, 2, 16);
if (hash(salt + userpassword) == hashed_password)
{
login...
}
else
{
login failed...
}
So there is no extra database traffic to speak of. Well... there is
the extra 2 bytes of salt, which is pretty trivial.
-dhs
Dean H. Saxe, CEH
dean@fullfrontalnerdity.com
"Great spirits have often encountered violent opposition from weak
minds."
--Einstein
Find out about my Hike for Discovery at www.fullfrontalnerdity.com/hfd
On Jun 1, 2006, at 10:20 AM, cynthia.peluso@us.ngrid.com wrote:
Where is the best place to store salts? I have developers that
will be using the Microsoft random number generator (ASP.NET ) to
generate a salt to append to the password and then hash. They want
to store the salt in the web.config file and the password hashes in
the database. What is best practice for salt storage? The
developer's concern is that storing the salts in the database will
increase traffic volume. I'm not sure if this is the case as we are
talking 16 bytes or so. If stored in web.config what level of
protection is required?
Cindy
----------------------------------------------------------------------
---
Sponsored by: Watchfire
Watchfire named worldwide market share leader in web application
security assessment by leading market research firm. Watchfire's
AppScan
is the industry's first and leading web application security testing
suite, and the only solution to provide comprehensive and consolidated
remediation task lists at every level of the application. See for
yourself.
Download a Free Trial of AppScan 6.0 today!
https://www.watchfire.com/securearea/appscansix.aspx?
id=701300000007t9c
----------------------------------------------------------------------
----
-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire named worldwide market share leader in web application
security assessment by leading market research firm. Watchfire's AppScan
is the industry's first and leading web application security testing
suite, and the only solution to provide comprehensive and consolidated
remediation task lists at every level of the application. See for
yourself.
Download a Free Trial of AppScan 6.0 today!
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------
