Password Salts

Lee

Lee

Well-known member
Right now I am using a randomly generated password salt stored in a database in the field "salt".

I was just thinking about the practicality of this, and if for any reason that sql table become compromised, they would have access to my password salt.

What I was thinking is either creating a random salt on the fly, or possibly using the users email address as a password salt.

Anybody have any suggestions on the best way to do this?
 
Generate a new salt per user. You could also use a constant salt that is stored on the web server. This way, the attacker needs both salts in order to even attempt an attack.
 
Random salt per user is the best way to do it. Doesn't matter that it's stored in the DB really as you hash it in the password field.
 
You must log in or register to reply here.

Similar threads

TrevC2
Username input fields are obscured by new iCloud password manager because of name="username"
Replies
0
Views
29
TrevC2
TrevC2
Steffen
Adding a Passkey implicitly enables 2FA which effectively disables password-based login and unexpectedly makes account recovery impossible
Replies
0
Views
36
Steffen
Steffen
CZ Eddie
  • Question Question
XF 2.3 A password reset request has been emailed to you. Please follow the instructions in that email.
Replies
0
Views
23
CZ Eddie
CZ Eddie
R
Mail dead, user lost password
Replies
18
Views
211
Robert9
R
V
  • Question Question
XF 2.1 Admin Password Reset - Pre-Upgrade
Replies
4
Views
66
Vade
V
Back
Top Bottom