Password Salts


Well-known member
Right now I am using a randomly generated password salt stored in a database in the field "salt".

I was just thinking about the practicality of this, and if for any reason that sql table become compromised, they would have access to my password salt.

What I was thinking is either creating a random salt on the fly, or possibly using the users email address as a password salt.

Anybody have any suggestions on the best way to do this?


Well-known member
Generate a new salt per user. You could also use a constant salt that is stored on the web server. This way, the attacker needs both salts in order to even attempt an attack.


Well-known member
Random salt per user is the best way to do it. Doesn't matter that it's stored in the DB really as you hash it in the password field.