Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
In regards to saving a salted hash version of the user’s password, I save in the DB the hashed salted password and the salt used before hashing it.
Should I also save in the DB the name of the algorithm used to hash the salted password (e.g. SHA1 or MD5 [I am not going to use MD5!]) so in case of someone finding a breach in the algorithm I use, I could switch to use another algorithm for future users ?
Notice: I’m not talking about the algorithm used to generate the random hash.
Yes, this is a good idea. It costs you very little (a few bytes per entry), and means that you can change and improve how you store passwords in future. For instance, suppose you’d started using this method with MD5 some years ago – it would now make it a trivial matter to upgrade to SHA1 or something else more secure by updating each user’s password hash when they next log in.
Note you should be using something like PBKDF2 to hash your passwords, not just a salted hash.