[WEB SECURITY] Salt Storage - web.config or database?

Marc-André Laverdière ma_laver at ciise.concordia.ca
Thu Jun 1 13:04:35 EDT 2006

What algorithm are you gonna use?

My experience with salted SHA-1 (SSHA) is that the salt is integrated in 
the hash, so that you don't need to store it separately.

Here is some code that show what I'm talking about:

As a sidenote, it'd be preferable to go for salted variant of SHA-256, 
since cryptologists have been working very hard on breaking SHA-1 and 
made some progress a few months ago.

Here is some practical advice:

P.S. Make sure that you use a cryptographically strong random number 
generator. .NET should normally be having one of those

Peluso, Cynthia M. wrote:
> Where is the best place to store salts?  I have developers that will be
> using the Microsoft random number generator (ASP.NET ) to generate a
> salt to append to the password and then hash.  They want to store the
> salt in the web.config file and the password hashes in the database.
> What is  best practice for salt storage?  The concern is that storing
> the salts in the database will increase traffic volume. I'm not sure if
> this is the case as we are talking 16 bytes or so.  If stored in
> web.config at the presentation layer, should it be encrypted?  
> Cindy Peluso

Marc-André LAVERDIÈRE, B. Eng., M. A. Sc. (in progress)
Computer Security Laboratory - Laboratoire de sécurité informatique
CIISE, Université Concordia University, Montréal, Québec, Canada

\ /    ASCII Ribbon Campaign
  X      against HTML e-mail
/ \

"Perseverance must finish its work so that you may be mature and 
complete, not lacking anything." -James 1:4

The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list