WebApp Sec mailing list archives

Salt Storage - web.config or database?

From: cynthia.peluso () us ngrid com
Date: 1 Jun 2006 14:20:09 -0000

Where is the best place to store salts?  I have developers that will be using the Microsoft random number generator 
(ASP.NET ) to generate a salt to append to the password and then hash.  They want to store the salt in the web.config 
file and the password hashes in the database.  What is  best practice for salt storage?  The developer's concern is 
that storing the salts in the database will increase traffic volume. I'm not sure if this is the case as we are talking 
16 bytes or so.  If stored in web.config what level of protection is required?

Cindy  

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web application
security assessment by leading market research firm. Watchfire's AppScan
is the industry's first and leading web application security testing
suite, and the only solution to provide comprehensive and consolidated
remediation task lists at every level of the application. See for
yourself.
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------

Current thread:

Salt Storage - web.config or database? cynthia . peluso (Jun 02)
- Re: Salt Storage - web.config or database? Dean H. Saxe (Jun 02)
- RE: Salt Storage - web.config or database? Wall, Kevin (Jun 03)
- Re: Salt Storage - web.config or database? Adam Tuliper (Jun 03)
- RE: Salt Storage - web.config or database? Burke, Charles (Jun 04)
- Re: Salt Storage - web.config or database? Steve Barnet (Jun 07)
  - RE: Salt Storage - web.config or database? James Pujals (Jun 07)
    - Re: Salt Storage - web.config or database? Steve Barnet (Jun 07)
- <Possible follow-ups>
- RE: Salt Storage - web.config or database? Martin O'Neal (Jun 04)