

In light of Gawker's recent situation, how should you be salting passwords? - Skywing

I figured I'd ask. We all know by now that Gawker has was compromised and it sounds like they weren't salting their passwords very well, or at all.<p>With that in mind, what is the proper way to do this? Is it fine to simply have a single, rather random salt used or should you somehow change the salt all the time? If the salt changes, how do you know how to compare it when they're logging in?
======
mathgladiator
[https://github.com/mathgladiator/win/blob/master/lib/win.sec...](https://github.com/mathgladiator/win/blob/master/lib/win.security.js)

I give it both a static prefix and a configurable suffix.

I once had a system that used their login as part of the salt, but that
introduced major support issues.

~~~
smoody
But, specific to Gawker's case -- where the databases and source code are
compromised, this would not work, correct? There'd have to be some salt that
does not exist in the database, config files, or source code. I guess one
could, as a (weak) added level of security, pass-in values when a server is
spun-up (or apache, etc) that are part of the launching of apps, but not store
in files of any kind.

~~~
njg
The salt has to be present in your system so you can use it to hash the
provided password and check that it matches the hash you have on file. People
usually keep it right next to the password.

The salt serves two functions: Make rainbow table attacks more difficult

Obscuring cases where two users have the same password. If two users both use
"blah7$monkey" as their password and you don't use a salt, they will hash to
the same value.

If I steal your password database and I want to compromise one account, a salt
offers no protection. Hash algo and password strength are what matter.

------
1331
[http://chargen.matasano.com/chargen/2007/9/7/enough-with-
the...](http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-
tables-what-you-need-to-know-about-s.html)

------
ra
[http://stackoverflow.com/questions/401656/secure-hash-and-
sa...](http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-
passwords/401684#401684)

