Password Salts

Lee

Well-known member
Right now I am using a randomly generated password salt stored in a database in the field "salt".

I was just thinking about the practicality of this, and if for any reason that sql table become compromised, they would have access to my password salt.

What I was thinking is either creating a random salt on the fly, or possibly using the users email address as a password salt.

Anybody have any suggestions on the best way to do this?
 

jmurrayhead

Well-known member
Generate a new salt per user. You could also use a constant salt that is stored on the web server. This way, the attacker needs both salts in order to even attempt an attack.
 

euantor

Well-known member
Random salt per user is the best way to do it. Doesn't matter that it's stored in the DB really as you hash it in the password field.
 
Top