"Milan Mimica"<[email protected]> wrote: > Yes, having the salt randomly generated and storing it with a hash is a > better idea. Note taken. Combining it with a fixed salt (and trying to keep > it secret) is even better. Keeping a hardcoded salt in the image running on > the remote machine serving WEB pages makes it quite secret IMO.
I was referring to Mariano's intent (at least how I understand it) to hardcode it "in code". If he's confident he'll be able to keep the code secret then hey may as well have the password in it in plain text, hashing it with or without salt, doesn't make much difference IMO. Generating random salt and keeping a hashed password on a deployed system is a different scenario. In this case it's different and unpredictable with every deployment. When it's hardcoded it's the same everywhere.
