Post Closed as "Duplicate" by Gilles 'SO- stop being evil', RoraΖ, CommunityBot, Xander, paj28

Password Hashing: add salt + pepper or is salt enough?

occurred Sep 10, 2015 at 18:00

Tweeted twitter.com/#!/StackSecurity/status/641713419012472833

occurred Sep 9, 2015 at 20:42

added 1 character in body

Source Link

edited Sep 9, 2015 at 17:15

user45139

I'm programmingdeveloping an authentication service.

I know the practice of generating a unique salt per user, stored in the DB with the hashed password, to prevent rainbow tables attacks.

I just had the idea of adding a second salt, inside the code, not existing in the DB, so if the database is leaked (but not the code), even weak passwords are not vulnerable to brutforcebrute-force.

I seems to be a good idea to me, but as I'm not an expert I'd like to have the confirmation of people who are good in information security.

Source Link

asked Sep 9, 2015 at 17:05

IggY

378
2
7

Password hashing : Using 2 salts

I'm programming an authentication service.

I know the practice of generating a unique salt per user, stored in the DB with the hashed password, to prevent rainbow tables attacks.

I just had the idea of adding a second salt, inside the code, not existing in the DB, so if the database is leaked (but not the code), even weak passwords are not vulnerable to brutforce.

I seems to be a good idea to me, but as I'm not an expert I'd like to have the confirmation of people who are good in information security.

hash salt

Stack Exchange Network

Return to Question

Password hashing : Using 2 salts