Salt, passwords and security

Posted by Jonathan on Stack Overflow See other posts from Stack Overflow or by Jonathan
Published on 2010-04-06T07:09:42Z Indexed on 2010/04/06 7:13 UTC
Read the original article Hit count: 550

Filed under:

salt

|

passwords

|

security

I've read through many of the questions on SO about this, but many answers contradict each other or I don't understand.

You should always store a password as a hash, never as plain text. But should you store the salt (unique for each user) next to the hashed password+salt in the database. This doesn't seem very clever to me as couldn't someone gain access to the database, look for says the account called Admin or whatever and then work out the password from that?

© Stack Overflow or respective owner

Related posts about salt

Why is a password salt called a "salt"?

as seen on Stack Overflow - Search for 'Stack Overflow'
Is there a significance to the word "salt" for a password salt? >>> More
Salt question - using a "random salt"

as seen on Stack Overflow - Search for 'Stack Overflow'
Hey everyone, Further to my question here, I have another question regarding salts. When someone says "use a random salt" to pre/append to a password, does this mean: Creating a static a 1 time randomly generated string of characters, or Creating a string of characters that changes at random… >>> More
Generating a salt in PHP

as seen on Stack Overflow - Search for 'Stack Overflow'
What's the best way to generate a cryptographically secure 32 bytes salt in PHP, without depending on libraries seldom included in typical PHP installations? After some googling I discovered that mt_rand is not considered secure enough, but I haven't found a suggestion for a replacement. One article… >>> More
Salt, passwords and security

as seen on Stack Overflow - Search for 'Stack Overflow'
I've read through many of the questions on SO about this, but many answers contradict each other or I don't understand. You should always store a password as a hash, never as plain text. But should you store the salt (unique for each user) next to the hashed password+salt in the database. This doesn't… >>> More
salt and rainbow table

as seen on Stack Overflow - Search for 'Stack Overflow'
what is "salt", also what is "rainbow table". >>> More

Related posts about passwords

Fixing /etc/shadow with md5 passwords to sha512 passwords

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I recently upgraded an ubuntu server with many users to a recent version from a version from 2008. The server used to use md5 password hashes (e.g., the shadow passwords began with $1$) and now is configured to use sha512. I'd prefer to keep using sha512, but would like the old users to be able… >>> More
How to securely generate memorable passwords?

as seen on Super User - Search for 'Super User'
Whenever I need new passwords I use some tools to generate those, preferable memorable passwords, but I've been wondering how secure this might actually be. Using The xkcd random number generator is probably pretty bad, cat /dev/random is probably pretty good, but generating memorable passwords seems… >>> More
Gawker Passwords

as seen on Geeks with Blogs - Search for 'Geeks with Blogs'
There has been much news about the hack of the Gawker web sites. There has even been an analysis of the common passwords found. This list is embarrassing in many ways. The most common password was "123456". The second most common password was "password". Much has also been written providing… >>> More
Phishing Ploy Forces Twitter to Reset Passwords

as seen on Internet.com - Search for 'Internet.com'
The microblogging site has reset some Twitter users' passwords after a phishing attack attempted to steal their login information. >>> More
Phishing Ploy Forces Twitter to Reset Passwords

as seen on Internet.com - Search for 'Internet.com'
The microblogging site has reset some Twitter users' passwords after a phishing attack attempted to steal their login information. >>> More