Java Programming

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Cryptography - salt

807580Apr 23 2010 — edited Apr 23 2010

I have a question about what peoples views are on storing salts when using them in combination with a cryptographic hash function (let me say SHA-512 for my example).

Pseudocode

final byte[] salt = // get 64 bit salt
MessageDigest md = MessageDigest.getInstance("SHA-512");
md.update(salt); // salt
byte[] bytes = md.digest( // etc ..., including iterating the hash operation

My question is to the "get salt" part.

Is it acceptable to store a secret salt in a file, separate from the passwords in the database, and use the same salt for every password? The alternative is to use a different salt each time and store the salt with the password in the database.

Surely if your database is compromised it is better that the attacker has the hashed passwords without the salt than the hashed passwords with the salt? But I have heard different view when looking on the internet.

Imagine you are looking for the most secure way.

Locked Post

New comments cannot be posted to this locked post.

Locked on May 21 2010

Added on Apr 23 2010

3 comments

243 views