On 10/14/2013 02:49 PM, Martin Vaeth wrote: > >> Hiding the salt would just be security through obscurity. > > And yet it is stupid if you do not do it and give away a > huge constant factor for no advantage. >
(I'll just agree to disagree about the rest.) Keeping the salt secret makes your application more complex. Rather than "SELECT hash, salt FROM users WHERE...", you now have to "SELECT hash FROM users WHERE..." and then pull the salt from somewhere else. (Where? The filesystem? Do you encrypt that? How?) What's stupid is going to all that effort for a 2x improvement when you could twiddle a bit and get a 340282366920938463463374607431768211456x improvement.
