Where to store your salt

[Edgar Sánchez]

Reviewing the code in "Building Secure Microsoft ASP.NET Applications" for
hashing passwords with salt, I see that the salt is stored in the same table
as the hashed password. The idea of using salt is to make a dictionary
attack harder but if we store the salt close to the hashed password then the
attacker can attach the salt to the dictionary passwords and go on with
his/her attack. For what I understood of the salting technique, the salt
should be saved somewhere else, is this right or I am missing something?

 

[Ken Cox [Microsoft MVP]]

Some people store the salt in the web.config.

 

[Derek Slager]

Reviewing the code in "Building Secure Microsoft ASP.NET Applications" for
hashing passwords with salt, I see that the salt is stored in the same table
as the hashed password. The idea of using salt is to make a dictionary
attack harder but if we store the salt close to the hashed password then the
attacker can attach the salt to the dictionary passwords and go on with
his/her attack. For what I understood of the salting technique, the salt
should be saved somewhere else, is this right or I am missing something?

Salt values are primarily used to prevent dictionary attacks using
pre-computed hashes. It's better to store it separately, but unless they
have already computed the hashes for their dictionary using the exact same
salt value they still have work to do.

-Derek