[Esapi-user] Using account name as salt

Jim Manico jim.manico at owasp.org
Fri May 6 16:00:00 EDT 2011


On 5/6/2011 6:00 AM, Chris Schmidt wrote:
> Salts are generally stored w/ the password hash itself. 

In general, I think this is a bad design idea. I've seen several
advanced defensive practitioners do something called "salt isolation"
where the salt and the password hash are, on purpose, stored in a
different location. Even something simple such as storing your salts in
a file system and storing hashes in the database" reduces risk of
password exposure.

- Jim



More information about the Esapi-user mailing list