1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Password Salts

Discussion in 'General PHP and MySQL Discussions' started by Lee, May 29, 2013.

  1. Lee

    Lee Well-Known Member

    Right now I am using a randomly generated password salt stored in a database in the field "salt".

    I was just thinking about the practicality of this, and if for any reason that sql table become compromised, they would have access to my password salt.

    What I was thinking is either creating a random salt on the fly, or possibly using the users email address as a password salt.

    Anybody have any suggestions on the best way to do this?
  2. jmurrayhead

    jmurrayhead Well-Known Member

    Generate a new salt per user. You could also use a constant salt that is stored on the web server. This way, the attacker needs both salts in order to even attempt an attack.
  3. euantor

    euantor Well-Known Member

    Random salt per user is the best way to do it. Doesn't matter that it's stored in the DB really as you hash it in the password field.

Share This Page