[eluser]wowdezign[/eluser]
So, what about running an algorithm on the stored salt before it is hashed?
Then, it wouldn't be site wide or the stored one.
For example:
Code:
Stored salt = Hf35s09W
The Salt used = 5Hf309Ws
In that example, all I did was take the two center characters of the stored salt and moved it to the ends. This pattern could be as complex as you wanted it to be.
The key is that the attacker would have to know how you mutate the salt in order to use the salt.
Unless I have overlooked something, it seems like a simple way to use the advantages of each of the two methods. Each user has there own salt, it's just not the one in the database. However, the one in the database is the key to knowing the one used to hash the password. *IF* you know how it has been changed before the hash.
It could get all kinds of tricky too, like decrementing each numeric by 1, etc. In fact, you could operate on each position. The key is knowing the pattern that goes with each salt.
