How about security by obscurity? If your db table has a field named "salt" it's too obvious, but if you use a non-changing value from the users table (like signup date) concatenated with some application constant it should add a reasonable level of security.
-- Hector Virgen Sent from my Droid X On Aug 30, 2010 10:12 PM, "Ralf Eggert" <[email protected]> wrote: > Hi Bill, > >> It's not necessary to md5 your salt before appending it to the password. >> It's more important to use a distinct salt per user, and apply key >> strengthening. > > interesting stuff. But where should the distinct salt per user be saved? > It feels quite wrong to store it in the database right beside the > password. Or should it be combined from, lets say: user id, email > address and registration date? > > Best regards, > > Ralf
