tags:

views:

672

answers:

5
+5  Q: 

Storing salt in code instead of database

There have been a couple of great discussions regarding salt best practices, and it seems the overwhelming recommendation is to generate a different salt for each password and store it alongside the password in the database.

However, if I understand the purpose of salt correctly, it is to reduce the chance that you will be compromised by rainbow table attacks. So, I understand that by storing it in the database it would be optimal to change it for each user, but what if the salt is nowhere near the database? If I store a single salt value in the code (which would on the web server be in a compiled dll), wouldn't that serve the same purpose if an attacker were to somehow gain access to the database? It would seem to me to be more secure.

+6  A: 

... until the attacker gains access to the DLL.

pjc50  2009-05-18 16:23:53
+14  A: 

The value of a salt lies in it being different for each user. You also need to be able to retrieve this non-unique value when you're re-creating the hashed value for comparison purposes.

If you store a single salt value that you use for every password, then you massively reduce the value of having a salt in the first place.

Glen  2009-05-18 16:24:21
+10  A: 

The purpose of a salt is to require the regeneration of a rainbow table per password. If you use a single salt, the hacker/cracker only has to regenerate the rainbow table once and he has all your passwords. But if you generate a random one per user, he has to generate one per user. Much more expensive on the hackers part. This is why you can store a salt in plain text, it doesn't matter if the hacker knows it as long as there's more than one.

Security by obscurity is not good, microsoft has taught us that.

Malfist  2009-05-18 16:28:19
and if you wanna have a lot of fun, do both ;) or do both and store a dup in the database, or do both, with a third salt in the database and a fourth salt that's a dup :D
Malfist  2009-05-18 16:29:43
+1  A: 

The lesson I learned from salts is: Divide and Conquer (security)

ATorras  2009-05-18 17:18:40
+3  A: 

In addition to other answers, it's also worth noting that an attacker could figure out your salt in the same way he would figure out a password: Given a known password (his own), he can do a brute force attack on possible salts.

Nick Johnson  2009-05-19 09:09:36
Great point, thanks.
ern  2009-05-19 13:34:26

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps