[WEB SECURITY] Salt Storage - web.config or database?

Marian Ion marian.ion at e-licitatie.ro
Fri Jun 2 09:33:56 EDT 2006

	Basically, authentication can be attempted, commonly, by web pages, web
services, or packet generators.
	Assuming a web application, keeping the salt in the web.config or the
machine.config file, (both not accessible from web on a well configured server
as far as I know), or an xml or txt file, and the hashed passwords in the
database, prevents direct access to both items necessary to force an
	Of course, there may always be other possibilities, like man in the
middle, maybe some other ways to authenticate on a misconfigured web server,
private exploits, to access the server or to get the credentials (after all,
accessing sensitive data can also be done at a lower layer ...).
	Discussing web services (+ desktop applications) or packet generators
extends the discussion much beyond the current purpose. As well, breaking
security at system / domain level, or having web and sql on the same server.
	I think it's a matter of trust and development experience choosing
between salt + hashed in database (with different salt for each user) or keep
them separate (commonly with 1 salt for all users).

Marian Ion

-----Original Message-----
From: Martin O'Neal [mailto:martin.oneal at corsaire.com] 
Sent: Friday, June 02, 2006 3:28 PM
To: Marian Ion; Peluso, Cynthia M.; websecurity at webappsec.org
Subject: RE: [WEB SECURITY] Salt Storage - web.config or database?

> No matter the technology, from a security point of view it 
> is best to keep them (salt and hashed passwds) separate. 

How would keeping them separate improve the security?  Whatever delivers
the authentication will inevitably need access to both, and logically
speaking it would be likely that an attacker compromising one will get
the other.  Separating them just introduces the potential for
reliability issues if the synchronisation fails...


CONFIDENTIALITY:  This e-mail and any files transmitted with it are
confidential and intended solely for the use of the recipient(s) only.
Any review, retransmission, dissemination or other use of, or taking
any action in reliance upon this information by persons or entities
other than the intended recipient(s) is prohibited.  If you have
received this e-mail in error please notify the sender immediately
and destroy the material whether stored on a computer or otherwise.
DISCLAIMER:  Any views or opinions presented within this e-mail are
solely those of the author and do not necessarily represent those
of Corsaire Limited, unless otherwise specifically stated.
Corsaire Limited, 3 Tannery House, Tannery Lane, Send, Surrey, GU23 7EF
Telephone: +44(0)1483-226000  Email:info at corsaire.com

The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list