WebApp Sec mailing list archives
Re: Salt Storage - web.config or database?
From: "Dean H. Saxe" <dean () fullfrontalnerdity com>
Date: Fri, 2 Jun 2006 20:42:31 -0400
The salt should be created for each password and not static for all passwords, otherwise the value of the salt in protecting against attacks using rainbow tables is almost useless. Usually the salt is stored appended to the hash, alternatively you can store it in another column.
Usually your login code will look like:select username, password_hash from usertable where userid = 'some_user_id';
salt = substring(password_hash, 0, 2);
hashed_password = substring(password_hash, 2, 16);
if (hash(salt + userpassword) == hashed_password)
{
login...
}
else
{
login failed...
}
So there is no extra database traffic to speak of. Well... there is
the extra 2 bytes of salt, which is pretty trivial.
-dhs Dean H. Saxe, CEH dean () fullfrontalnerdity com"Great spirits have often encountered violent opposition from weak minds."
--Einstein
Find out about my Hike for Discovery at www.fullfrontalnerdity.com/hfd
On Jun 1, 2006, at 10:20 AM, cynthia.peluso () us ngrid com wrote:
Where is the best place to store salts? I have developers that will be using the Microsoft random number generator (ASP.NET ) to generate a salt to append to the password and then hash. They want to store the salt in the web.config file and the password hashes in the database. What is best practice for salt storage? The developer's concern is that storing the salts in the database will increase traffic volume. I'm not sure if this is the case as we are talking 16 bytes or so. If stored in web.config what level of protection is required?Cindy---------------------------------------------------------------------- ---Sponsored by: Watchfire Watchfire named worldwide market share leader in web applicationsecurity assessment by leading market research firm. Watchfire's AppScanis the industry's first and leading web application security testing suite, and the only solution to provide comprehensive and consolidated remediation task lists at every level of the application. See for yourself. Download a Free Trial of AppScan 6.0 today!https://www.watchfire.com/securearea/appscansix.aspx? id=701300000007t9c ---------------------------------------------------------------------- ----
------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire named worldwide market share leader in web application security assessment by leading market research firm. Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive and consolidated remediation task lists at every level of the application. See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c --------------------------------------------------------------------------
Current thread:
- Salt Storage - web.config or database? cynthia . peluso (Jun 02)
- Re: Salt Storage - web.config or database? Dean H. Saxe (Jun 02)
- RE: Salt Storage - web.config or database? Wall, Kevin (Jun 03)
- Re: Salt Storage - web.config or database? Adam Tuliper (Jun 03)
- RE: Salt Storage - web.config or database? Burke, Charles (Jun 04)
- Re: Salt Storage - web.config or database? Steve Barnet (Jun 07)
- RE: Salt Storage - web.config or database? James Pujals (Jun 07)
- Re: Salt Storage - web.config or database? Steve Barnet (Jun 07)
- RE: Salt Storage - web.config or database? James Pujals (Jun 07)
- <Possible follow-ups>
- RE: Salt Storage - web.config or database? Martin O'Neal (Jun 04)