Hashing a password

[SuperKid]

Hi,

 

When you hash a password using a method like SHA1, BCrypt etc you provide a salt key, but I was wondering do you reuse one salt key throughout or generate a unique random salt key for each password you generator and store it?

 

I have seen both methods use, some people store in the database the salt key with the users password where both are unique or some people have one salt key they reuse to hash all passwords, which method is usually best?

 

Matt.

[The_Decryptor Veteran]

Using a per user salt is better because it defeats rainbow table reuse (The rainbow table has to be remade for each user vs. once for all users), but also not using something weak like SHA1 helps as well (BCrypt or SCrypt with a high iteration count is better)

[Dick Montage]

I will ask what language you are using, as there are some nice new methods for PHP.

 

But to answer your question, I use an unique salt per user, which upon a password reset is re-generated.  I also use a site salt as well.

[SuperKid]

I will ask what language you are using, as there are some nice new methods for PHP.

 

But to answer your question, I use an unique salt per user, which upon a password reset is re-generated.  I also use a site salt as well.

 

It was mainly just a general question, but I probably know what functions you're on about with PHP as I have seen some new password hashing functions :)

 

Using a per user salt is better because it defeats rainbow table reuse (The rainbow table has to be remade for each user vs. once for all users), but also not using something weak like SHA1 helps as well (BCrypt or SCrypt with a high iteration count is better)

 

Makes sense really, thanks! :)