[OWASP_PHPSEC] Is storing static salt in database a good idea ?

Abbas Naderi abiusx at owasp.org
Mon Sep 2 16:17:42 UTC 2013


Hi Shivam,
Good point.
We need to move the static salt to the library as a static confidential string object.
Thanks
-Abbas
______________________________________________________________
Notice: This message is digitally signed, its source and integrity are verifiable.
If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com

On Sep 2, 2013, at 8:54 AM, Shivam Dixit <shivamd001 at gmail.com> wrote:

> Hello all,
> 
> I want to discuss on the issue how to store the hashed password securely in database.
> 
> In auth library "user.php" which is used for implementing basic password management I noticed that when creating a "newUserObject", the static salt is also stored in the database. Do we really required to store the static salt in database if we can accomplish our task just by storing dynamic salt? Are we going to have different static salts for different users? 
> 
> If database is compromised the attacked will have static salt, dynamic salt as well as hashing algorithm which will ease his task of reverse lookup! Also, can we use same column for storing the dynamically generated salt as well as the salt like, use the first 32 characters for 128-bits salt and then the last 40 for 160-bits hash ? In this scenario even if attacker has access of the database he will be able to get little out of it.
> 
> Please give your suggestions on the issue.
> 
> Cheers,
> Shivam Dixit
> _______________________________________________
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130902/3cc5f8e6/attachment-0001.html>


More information about the OWASP_PHP_Security_Project mailing list