[WEB SECURITY] Salt Storage - web.config or database?

Martin O'Neal martin.oneal at corsaire.com
Fri Jun 2 08:27:41 EDT 2006


> No matter the technology, from a security point of view it 
> is best to keep them (salt and hashed passwds) separate. 

How would keeping them separate improve the security?  Whatever delivers
the authentication will inevitably need access to both, and logically
speaking it would be likely that an attacker compromising one will get
the other.  Separating them just introduces the potential for
reliability issues if the synchronisation fails...

Martin...

----------------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list