why don't people use a private salts to beef up security? for example record the per-password salt in the db along with the hashed password but when calculating the hash concatenate the per-password salt with a salt stored in the program.
i realise it is kind of security through obscurity but in this instance the SQL injection wouldn't have compromised the private salt and it would have been much harder to recover the passwords. presumably, you would have to use a known pass/hash combo to brute force the private salt which would take a lot more computation time than recovering simple passwords.
i realise it is kind of security through obscurity but in this instance the SQL injection wouldn't have compromised the private salt and it would have been much harder to recover the passwords. presumably, you would have to use a known pass/hash combo to brute force the private salt which would take a lot more computation time than recovering simple passwords.