I need a login system to check the user password. I know about salting passwords, but should I store the salt and the encrypted password or should I only store the encrypted password and the salt is somewhere in my app config file?
Please pro and cons if there are some, thanks!
If you have differing salt for every password then you will have to store the salt and hashed password in DB itself. If you are using only one salt for all passwords, then you can prefer to store them in other location kind of config file.
It depends on how you are using salts for encryption...
If the salt does not change frequently:
I would store the salt alongside the master key in a safe location. Storing it alongside each password would just constitute in a lot of redundant data. Furthermore the database is probably not as safe a place as the storage location of the master key. Mind that the salt may be an essential part of the password security. (Depending on lenght and strenght of passwords chose by the users...)
If the salt changes frequently, i.e. with every encrypted password:
In this case you would need to store a huge number of salts. As one salt is only useful for the decryption of one password it's not as critical a piece of information as in the above example, storing it in the DB alongside the passwords is ok I guess. At any rate, storing the salts in a the app config could get messy. (Unless you would create an special salt database or something like that.)