Reputation: 249
Generating salts from other user fields
Right now I have a "salt" column and a "password" column in the database (the user table), both varchar(64) and take sha-256 hashes as values.
Do you think it's a good idea to eliminate the salt column and use the user's e-mail address to generate a salt during password validation? This would save some space in the database.
Upvotes: 2
Views: 120
Answers (3)
Reputation: 9013
See this answer for why you should use a random salt for every password creation.
Upvotes: 2
Reputation: 38825
A salt should never, ever change. An Email address can. Your thinking of the removal of the salt column is the DBA equivalent of premature optimization, with the added consequence of disastrous results.
Upvotes: 2
Reputation: 164291
I don't think it's a problem to store the a random salt, instead of deriving them from other columns of the user.
However, if you decide to use one or more other columns for the salt, you need to be 100% sure that the value chosen never changes. In your example, if the user changes email address, you have lost any way to validate his password.
Upvotes: 5
Related Questions
- Hashing and Salting passwords from users using PHP
- Using Hash and Salt with MYSQL table
- Unique generated SALT for each user?
- Looking to arrive at a usable solution for password salting in a PHP/MySQL application?
- Hashing (with salts) Username and Password in php
- How to store salts created for hashing in a database?
- using sha256 as hashing and salting with user's ID
- Salting my hashes with PHP and MySQL
- Using the same salt for multiple fields
- salt and hash generation question