[OWASP_PHPSEC] Is storing static salt in database a good idea ?

rahul chaudhary rahul300chaudhary400 at gmail.com
Tue Sep 3 22:25:57 UTC 2013

ok...so you must know the reason why I stored static salt in DB in the
first place.....since static salt was a user defined value and I thought
that if someone changes the static salt later at some point, the whole
application will break down....so to save this thing, I also stored static
salt in the DB, so that even if the developer changes the salt at some
point (like after some attack) , the application wont fail, it would just
start storing new hashed with the new salt and would get the old hashes
with the old salt.
So, if everyone will vote-up that static salts must not be stored in the
DB, then I will change that. :)

However, the point you stated that if DB is compromised. that point is
perfectly genuine and legit. So, this is definitely a point worth
discussing. ^_^

Now the second point. You said that you want to store dynamic salt and
static salt, both in one column by keeping first 32 chars of dynamic and 40
chars of overall hash. I do not understand this point. Can you please
explain this process in a bit detail.

On Tue, Sep 3, 2013 at 7:32 AM, Abbas Naderi <abiusx at owasp.org> wrote:

> Yes
> ______________________________________________________________
> *Notice:** *This message is *digitally signed*, its *source* and *
> integrity* are verifiable.
> If you mail client does not support S/MIME verification, it will display a
> file (smime.p7s), which includes the X.509 certificate and the signature
> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
> AbiusX.com
> On Sep 3, 2013, at 6:12 AM, Shivam Dixit <shivamd001 at gmail.com> wrote:
> On Mon, Sep 2, 2013 at 9:47 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>> Hi Shivam,
>> Good point.
>> We need to move the static salt to the library as a static confidential
>> string object.
>> Thanks
>> -Abbas
> Hello Abbas,
> Shall I file an issue on github for this problem also ?
> *Cheers,*
> *Shivam*
> _______________________________________________
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project

Rahul Chaudhary
Ph - 412-519-9634
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130903/5e8b5e34/attachment-0001.html>

More information about the OWASP_PHP_Security_Project mailing list