Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    New Coder
    Join Date
    May 2012
    Posts
    25
    Thanks
    4
    Thanked 1 Time in 1 Post

    Using a salt value

    Hi,

    I've been reading up on using a salt value when creating a password to make it more secure, what I can't get my head round is how do you remember this salt value?

    I'm guessing that when a user logs in to be able to compare the password entered with the one in the database you would need to again add the salt value to the entered password.

    Am I missing something really obvious?

    Thanks

  • #2
    Regular Coder Redcoder's Avatar
    Join Date
    May 2012
    Location
    /dev/null
    Posts
    332
    Thanks
    2
    Thanked 47 Times in 46 Posts
    There is no way that you have to remember the salt - you ingrain it in the code. Maybe what you mean is that you don't want to use a constant salt. To have a variable salt you can use things like the username of the user as the salt, or the first 5 characters of the username i.e values that are not constant.

  • #3
    New Coder
    Join Date
    May 2012
    Posts
    25
    Thanks
    4
    Thanked 1 Time in 1 Post
    Ahhh ok, that makes far more sense, I was thinking that the salt value was being created randomly on the fly.

    Thanks

  • #4
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,978
    Thanks
    4
    Thanked 2,659 Times in 2,628 Posts
    Quote Originally Posted by probi View Post
    Ahhh ok, that makes far more sense, I was thinking that the salt value was being created randomly on the fly.

    Thanks
    You can create it random for each person, but not on the fly during lookup. You can also use both a constant value and a stored value if desired. The primary purpose is that should a db become compromised and data is retrieved, than even if you do generate a collision match to the known hashed password, it would not be the correct one (or rather, it likely won't be the correct one). A secondary pro is that multiple user's whom happen to have the same password won't look like they do.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •