[eluser]bretticus[/eluser]
Oh how I love to chime in on security issues (whether I'm good at it or not!)
Quote:So even if they have the salt, generating rainbow tables would still take too long. So saving the salt in the database is not an issue. Obviously it would be safer to store them somewhere else, but if your database is compromised, your system will probably be compromised anyway, so there really is no safe/convenient way to store salts.
Really, the hashing doesn't protect you at all from brute force attacks to your website since your authentication mechanism simply hashes an easy password including the salt anyway before it compares the result with the hash in your database. Thus, the only benefit of hashing is to protect passwords from prying eyes of other administrators or a hacker who compromises your database only (which in a sense can possibly give him or her a free ride to your website anyways as mentioned.)
It should be noted though that if the username/password hash data were compromised, it would be trivial to build a rainbow table based on a dictionary plus the salt stored in the database. Thus, I think there is some merit to storing salt elsewhere.
