Welcome to Software Development on Codidact!
Will you help us build our independent community of developers helping developers? We're small and trying to grow. We welcome questions about all aspects of software development, from design to code to QA and more. Got questions? Got answers? Got code you'd like someone to review? Please join us.
Comments on Should a salt be stored in the same database as the hash?
Parent
Should a salt be stored in the same database as the hash?
To protect against dictionary and rainbow table attacks it is well known that passwords should be salted before hashing. The salt (unique to each password) gets stored with the hash, often in the same string separated by a semi-colon.
However if the salts and hashes are stored together and the database is compromised then the attacker will have access to each salt used for each hash, which defeats the purpose of the salt.
Is this a legitimate concern? Should salts be stored in a separate database to hashes?
The purpose of a cryptographic salt is to make the same input (password) hash to different values in different instances …
4y ago
When I first learned about salting, I thought the same thing. But as I understand it, because each salt is unique (or su …
4y ago
The other answers are correct, but over complicate things. Suppose you have a database with 1,000,000 email addresse …
9mo ago
With bcrypt, the salt is stored in the same string as the hash. This is done so that you have everything you need to get …
9mo ago
The issue with using two separate databases is you need to: - store both access strings - back up both databases - …
4y ago
Post
The issue with using two separate databases is you need to:
- store both access strings
- back up both databases
- manage both databases
- keep both databases patched
By the time you have done that, the risk of both databases getting hacked is much the same as the risk of a single database getting hacked.
1 comment thread