[RESOLVED] Salt and Passwords

Neville1985

I was talking to a friend about storing salts and passwords, the conversation was about whether or not it is more secure storing salts in a file somewhere on the server, rather then within the database itself.

I've never been one to hard-code salts, preferring randomly generated strings for each independent user and storing them in the database.

Is there any benefit to storing salts in a file rather then in a database? An example being; if the database containing the passwords is stolen somehow, the salts are not included within it, thus increasing security.

Any opinions or suggestions on this?

dagon

It will depend on what your defending, but if the whole db has been stolen, then the salted passwords are not a concern any more.

Weedpacket

The security of salted passwords is still dependent on the security of the hashing algorithm: knowing part of the hashed string (which is what you have when you have access to the salt) is no help in determining the rest.

Neville1985

Appreciate it guys