Is it a good idea to update hash salt every login?
Question
I want to make a secure website. Is updating the password salt every time a user logs in a good idea?
Edit: I additionally use a global salt, which is hard coded.
2 answers
solution1
14 ACCPTED 2012-12-13 14:03:10
No, it makes no sense at all.
The purpose of salting hashes is to make them unique even if the original password is the same. This avoids eg rainbow table attacks or re-using a stolen hash on another website where the hash is sufficient to login (happens with bad remember-me implementations).
Assume an attacker got the stored password hash from your database. This usually means that he knows both the salt and the final hash. Now he can already brute-force this single password. Assuming there are no collisions he'll end up with the actual password of the user when the brute-force attack succeeds. And that one will work no matter what salt is used at this moment.
For more information about salting I suggest you to read this excellent answer on IT Security
solution2
2 2012-12-13 14:04:39
A new salt should be randomly generated for each user and each time they change their password as a minimum . I'm not sure if generating a new one each login is a good idea. It seems overkill and not provide any significant extra security.
You could try using an extra static site wide secret key.
In this case even your DB is compromised, the hash and salt will be available. But the hacker will need access to local files to gain your static key.
hash(hash(salt + secret_key) + password)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.