[WEB SECURITY] Salt Storage - web.config or database?

Peluso, Cynthia M. Cynthia.Peluso at us.ngrid.com
Thu Jun 1 11:15:16 EDT 2006

Where is the best place to store salts?  I have developers that will be
using the Microsoft random number generator (ASP.NET ) to generate a
salt to append to the password and then hash.  They want to store the
salt in the web.config file and the password hashes in the database.
What is  best practice for salt storage?  The concern is that storing
the salts in the database will increase traffic volume. I'm not sure if
this is the case as we are talking 16 bytes or so.  If stored in
web.config at the presentation layer, should it be encrypted?  

Cindy Peluso

Cindy Peluso
cynthia.peluso at us.ngrid.com

**** For your information: Granite State Electric, Massachusetts Electric, Nantucket Electric, Narragansett Electric, and Niagara Mohawk are each doing business under the name National Grid. ****

This e-mail and any files transmitted with it, are confidential to National Grid and are intended solely for the use of the individual or entity to whom they are addressed.  If you have received this e-mail in error, please reply to this message and let the sender know.

The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list