CODEWITHSUNDEEP
databasesecurity
funkycottleti
funkycottleti

Reputation: 298

Storing encrypted password and salt or only storing encrypted password?

I need a login system to check the user password. I know about salting passwords, but should I store the salt and the encrypted password or should I only store the encrypted password and the salt is somewhere in my app config file?

Please pro and cons if there are some, thanks!

Upvotes: 1

Views: 362

Answers (2)

fgysin
fgysin

Reputation: 11913

It depends on how you are using salts for encryption...

If the salt does not change frequently:
I would store the salt alongside the master key in a safe location. Storing it alongside each password would just constitute in a lot of redundant data. Furthermore the database is probably not as safe a place as the storage location of the master key. Mind that the salt may be an essential part of the password security. (Depending on lenght and strenght of passwords chose by the users...)

If the salt changes frequently, i.e. with every encrypted password:
In this case you would need to store a huge number of salts. As one salt is only useful for the decryption of one password it's not as critical a piece of information as in the above example, storing it in the DB alongside the passwords is ok I guess. At any rate, storing the salts in a the app config could get messy. (Unless you would create an special salt database or something like that.)

Upvotes: 1

Sachin Shanbhag
Sachin Shanbhag

Reputation: 55479

If you have differing salt for every password then you will have to store the salt and hashed password in DB itself. If you are using only one salt for all passwords, then you can prefer to store them in other location kind of config file.

Upvotes: 1

Related Questions