Using a salt value

probi · 10-07-2012, 09:23 AM

Hi,

I've been reading up on using a salt value when creating a password to make it more secure, what I can't get my head round is how do you remember this salt value?

I'm guessing that when a user logs in to be able to compare the password entered with the one in the database you would need to again add the salt value to the entered password.

Am I missing something really obvious?

Thanks

Redcoder · 10-07-2012, 10:31 AM

There is no way that you have to remember the salt - you ingrain it in the code. Maybe what you mean is that you don't want to use a constant salt. To have a variable salt you can use things like the username of the user as the salt, or the first 5 characters of the username i.e values that are not constant.

probi · 10-07-2012, 10:51 AM

Ahhh ok, that makes far more sense, I was thinking that the salt value was being created randomly on the fly.

Thanks

Fou-Lu · 10-07-2012, 01:40 PM

Quote:

Originally Posted by probi

Ahhh ok, that makes far more sense, I was thinking that the salt value was being created randomly on the fly.

Thanks

You can create it random for each person, but not on the fly during lookup. You can also use both a constant value and a stored value if desired. The primary purpose is that should a db become compromised and data is retrieved, than even if you do generate a collision match to the known hashed password, it would not be the correct one (or rather, it likely won't be the correct one). A secondary pro is that multiple user's whom happen to have the same password won't look like they do.