I have two salts, each user has a unique salt that is stored with the user info in the database. The second salt is one that is specific to the website. Both are needed to hash the passwords.
Problem is I don’t know where I should keep my website salt. Right now it resides in the PHP method that runs the hashing algorithm. Should I keep it in a file outside the /var/www/ and have PHP open and read the file? I don’t want to store it in the database because that would defeat the purpose of having two salts should my database be compromised.
Any suggestions?
One option not mentioned yet? An environmental variable served by the server. You can do it in httpd.conf, or in a .htaccess. Since Apache doesn’t serve .htaccess files, you don’t need to worry about hiding it as much…
That way, all you need to do in your application is
$salt = getenv('WEBSITE_SALT');. The benefit here is that it’s transparent to the application…