0

Possible Duplicate:
what is best possible way of salting and storing salt?
Improve password hashing with a random salt

Assuming that using a correct algorithm for password hashing and generating different salts for each password...

Is it a security risk to store salts separately from password hashes? For ex. in a database table, storing password hashes in one column, and password salts in a separate column?

I saw strategies where the salt is embedded into the password hash itself, by using a specific algorithm. Later on the salt can be extracted from the password hash. Is this more secure?

Community
  • 1
  • 1
feketegy
  • 711
  • 1
  • 5
  • 19
  • 2
    It doesn't make any difference. Storing them in the same column is more convenient. If anything, storing them separately would be more secure (but in practice it doesn't matter). – deceze Nov 19 '12 at 17:33

1 Answers1

2

From everything I have ever read and done, there is nothing wrong with storing the password hash and password salt in separate columns, and that is the most common way to do it.

The basic method for authentication should go something like this:

  1. Retrieve user_id and password_salt using user supplied username or email
  2. Concat user supplied password input with retrieved salt
  3. Use hashing algorithm on combined string
  4. Check created hash against the hash in the database
nickhar
  • 19,981
  • 12
  • 60
  • 73
Ethan
  • 2,754
  • 1
  • 21
  • 34