Where to store your salt

Discussion in 'ASP .Net Security' started by Edgar Sánchez, Jan 24, 2004.

  1. Reviewing the code in "Building Secure Microsoft ASP.NET Applications" for
    hashing passwords with salt, I see that the salt is stored in the same table
    as the hashed password. The idea of using salt is to make a dictionary
    attack harder but if we store the salt close to the hashed password then the
    attacker can attach the salt to the dictionary passwords and go on with
    his/her attack. For what I understood of the salting technique, the salt
    should be saved somewhere else, is this right or I am missing something?
    Edgar Sánchez, Jan 24, 2004
    #1
    1. Advertising

  2. Some people store the salt in the web.config.

    "Edgar Sánchez" <> wrote in message
    news:%...
    > Reviewing the code in "Building Secure Microsoft ASP.NET Applications" for
    > hashing passwords with salt, I see that the salt is stored in the same
    > table
    > as the hashed password. The idea of using salt is to make a dictionary
    > attack harder but if we store the salt close to the hashed password then
    > the
    > attacker can attach the salt to the dictionary passwords and go on with
    > his/her attack. For what I understood of the salting technique, the salt
    > should be saved somewhere else, is this right or I am missing something?
    >
    >
    Ken Cox [Microsoft MVP], Jan 26, 2004
    #2
    1. Advertising

  3. Edgar Sánchez

    Derek Slager Guest

    On Fri, 23 Jan 2004 22:41:26 -0500, Edgar Sánchez wrote:

    > Reviewing the code in "Building Secure Microsoft ASP.NET Applications" for
    > hashing passwords with salt, I see that the salt is stored in the same table
    > as the hashed password. The idea of using salt is to make a dictionary
    > attack harder but if we store the salt close to the hashed password then the
    > attacker can attach the salt to the dictionary passwords and go on with
    > his/her attack. For what I understood of the salting technique, the salt
    > should be saved somewhere else, is this right or I am missing something?


    Salt values are primarily used to prevent dictionary attacks using
    pre-computed hashes. It's better to store it separately, but unless they
    have already computed the hashes for their dictionary using the exact same
    salt value they still have work to do.

    -Derek
    Derek Slager, Jan 26, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?U2F0ZWVzaCBLdW1hciBFIEM=?=

    Speech Web Application using SALT

    =?Utf-8?B?U2F0ZWVzaCBLdW1hciBFIEM=?=, Dec 31, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    374
    =?Utf-8?B?U2F0ZWVzaCBLdW1hciBFIEM=?=
    Dec 31, 2003
  2. =?Utf-8?B?U2F0ZWVzaCBLdW1hciBFIEM=?=

    Speech Apllication using SALT

    =?Utf-8?B?U2F0ZWVzaCBLdW1hciBFIEM=?=, Jan 2, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    366
    =?Utf-8?B?U2F0ZWVzaCBLdW1hciBFIEM=?=
    Jan 2, 2004
  3. Mark Olbert

    Default AES Salt in ASPNET2 Site

    Mark Olbert, Feb 23, 2006, in forum: ASP .Net
    Replies:
    1
    Views:
    447
    Mark Olbert
    Feb 23, 2006
  4. ClaudiaE
    Replies:
    1
    Views:
    588
    Hans Granqvist
    Dec 3, 2003
  5. Florian Lindner

    Generating salt for crypt

    Florian Lindner, Mar 3, 2004, in forum: Python
    Replies:
    1
    Views:
    417
    Dietrich Epp
    Mar 6, 2004
Loading...

Share This Page