I want to make a secure website. Is updating the password salt every time a user logs in a good idea?
Edit: I additionally use a global salt, which is hard coded.
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I want to make a secure website. Is updating the password salt every time a user logs in a good idea?
Edit: I additionally use a global salt, which is hard coded.
No, it makes no sense at all.
The purpose of salting hashes is to make them unique even if the original password is the same. This avoids e.g. rainbow table attacks or re-using a stolen hash on another website where the hash is sufficient to login (happens with bad remember-me implementations).
Assume an attacker got the stored password hash from your database. This usually means that he knows both the salt and the final hash. Now he can already brute-force this single password. Assuming there are no collisions he’ll end up with the actual password of the user when the brute-force attack succeeds. And that one will work no matter what salt is used at this moment.
For more information about salting I suggest you to read this excellent answer on IT Security