thminco — 2011-10-27T18:10:48-04:00 — #1
I'm thinking of using md5 &/or sha1 and salt to store passwords into an sql database table. My question is..would it not be safer to store the salt "clear text" in another table and just leave a "key" so to speak in the table with the password. In other words, if a hacker gets into the password and key table by using sql injection, does he only have access to that table since he wouldn't even know the name of the other table unless he also was able to access the script code.
cranial_bore — 2011-10-27T18:29:13-04:00 — #2
I think you'll be complicated your DB design for very little security pay off. Just have a per-user salt and you'll be good to go. An attacker would have to compile a new dictionary for every user which would be very time consuming.
felgall — 2011-10-27T21:15:38-04:00 — #3
The main reson for hashing the passwords is to make absolutely certain that the staff actually working in the server room cannot just read off all your userids and passwords - of course the staff working in that location ought to be able to be trusted but hashing the passwords prevents them from seeing what the passwords are at all even when they have a legitimate reason for needing to inspect your database content.