[WEB SECURITY] Salt Storage - web.config or database?

Marian Ion marian.ion at e-licitatie.ro
Fri Jun 2 01:34:42 EDT 2006


No matter the technology, from a security point of view it is best to keep them
(salt and hashed passwds) separate. A database can be vulnerable due to
exploits, or weak programming.

Marian Ion




-----Original Message-----
From: Peluso, Cynthia M. [mailto:Cynthia.Peluso at us.ngrid.com] 
Sent: Thursday, June 01, 2006 6:15 PM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] Salt Storage - web.config or database?

 
Where is the best place to store salts?  I have developers that will be
using the Microsoft random number generator (ASP.NET ) to generate a
salt to append to the password and then hash.  They want to store the
salt in the web.config file and the password hashes in the database.
What is  best practice for salt storage?  The concern is that storing
the salts in the database will increase traffic volume. I'm not sure if
this is the case as we are talking 16 bytes or so.  If stored in
web.config at the presentation layer, should it be encrypted?  

Cindy Peluso


Cindy Peluso
cynthia.peluso at us.ngrid.com



**** For your information: Granite State Electric, Massachusetts Electric,
Nantucket Electric, Narragansett Electric, and Niagara Mohawk are each doing
business under the name National Grid. ****

This e-mail and any files transmitted with it, are confidential to National Grid
and are intended solely for the use of the individual or entity to whom they are
addressed.  If you have received this e-mail in error, please reply to this
message and let the sender know.

----------------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



----------------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list