Passwords - How to store salt?
TI(r)L (Today I really Learned) how (and why) to store salt.
This is the link for the full read.
TL;DR - You can store the salt in plaintext without any form of obfuscation or encryption, but don't just give it out to anyone who wants it.
The reason we want to salt the password is to make it harder for an attacker to crack the passwords, once the DB has been comprimised. When the password has been encrypted with the salt, an attacker can't use a rainbow table. This means that the attacker needs to spend a lot of time decrypting the passwords. This gives you time to detect the breach and reset all the passwords.
Read the full answer here for a full technical deep dive.
RSS | ATOM | JSON | Mastodon