[WEB SECURITY] Salt Storage - web.config or database?

Brian Eaton eaton.lists at gmail.com
Thu Jun 1 11:51:56 EDT 2006


On 6/1/06, Peluso, Cynthia M. <Cynthia.Peluso at us.ngrid.com> wrote:
> Where is the best place to store salts?  I have developers that will be
> using the Microsoft random number generator (ASP.NET ) to generate a
> salt to append to the password and then hash.  They want to store the
> salt in the web.config file and the password hashes in the database.
> What is  best practice for salt storage?  The concern is that storing
> the salts in the database will increase traffic volume. I'm not sure if
> this is the case as we are talking 16 bytes or so.  If stored in
> web.config at the presentation layer, should it be encrypted?

A salt should not need to be kept secret.  The idea is that if someone
steals the password hashes and the salts, they can't use a precomputed
dictionary to crack the passwords.  So from a security perspective,
the answer is probably "doesn't matter."

On the other hand, if you are ever going to want other applications do
be able to use this database for authentication, having the password
salts in the web.config file would make that more difficult.

There is also the matter of how well the web.config file is going to
scale.  You're going to have one salt per-user, right?  That
web.config file could get large fairly quickly.

> The concern is that storing the salts in the database will increase traffic volume.

Unless someone has actually measured the difference in performance,
this is just blowing smoke.

Regards,
Brian

----------------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list