[OWASP_PHPSEC] Is storing static salt in database a good idea ?

Shivam Dixit shivamd001 at gmail.com
Mon Sep 2 12:54:20 UTC 2013


Hello all,

I want to discuss on the issue *how to store the hashed password securely
in database*.

In auth library "*user.php*" which is used for implementing basic password
management I noticed that when creating a "*newUserObject*", the static
salt is also stored in the database. Do we really required to store the
static salt in *database *if we can accomplish our task just by storing
dynamic salt? Are we going to have different static salts for different
users?

If database is compromised the attacked will have *static salt, dynamic
salt as well as hashing algorithm* which will ease his task of reverse
lookup! Also, can we use same column for storing the dynamically generated
salt as well as the salt like, use the first 32 characters for 128-bits
salt and then the last 40 for 160-bits hash ? In this scenario even if
attacker has access of the database he will be able to get little out of it.

Please give your suggestions on the issue.

*Cheers,*
*Shivam Dixit*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130902/17579410/attachment.html>


More information about the OWASP_PHP_Security_Project mailing list