• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Password Salts

Lee

Well-known member
#1
Right now I am using a randomly generated password salt stored in a database in the field "salt".

I was just thinking about the practicality of this, and if for any reason that sql table become compromised, they would have access to my password salt.

What I was thinking is either creating a random salt on the fly, or possibly using the users email address as a password salt.

Anybody have any suggestions on the best way to do this?
 

jmurrayhead

Well-known member
#2
Generate a new salt per user. You could also use a constant salt that is stored on the web server. This way, the attacker needs both salts in order to even attempt an attack.
 

euantor

Well-known member
#3
Random salt per user is the best way to do it. Doesn't matter that it's stored in the DB really as you hash it in the password field.