Have gone through several questions on this topic at SO, and am unable to

Question

0

Asked: June 5, 20262026-06-05T08:57:13+00:00 2026-06-05T08:57:13+00:00

Have gone through several questions on this topic at SO, and am unable to

0

Have gone through several questions on this topic at SO, and am unable to find answers to this specific query. I’ve seen
Salting Your Password: Best Practices? and the excellent answer to Non-random salt for password hashes, which both have very helpful guidelines, but doesn’t have a clear guideline on storage.

Is it advisable to have the hash, random salt and iteration count all in the same table? If not, what is a suggested approach?

I do understand that rainbow tables can’t be made easily with random salts in place, even if we have them together. The question is because there are many simple extra deterrents that can go a long way. For example, have the salt in a different table (injections usually leach a table, not a DB) and the iteration count in a different tier (say, a constant in mid-tier).

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-05T08:57:15+00:00

Editorial Team

2026-06-05T08:57:15+00:00Added an answer on June 5, 2026 at 8:57 am

It is the normal pattern to store the salt and iteration count together with the computed hash.

The salt is not a secret. A salt ‘works’ by being different for each computed hash. If the attacker knows the salt and iteration count, it does not help him in any way.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Have gone through several questions on this topic at SO, and am unable to

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply