Score:0

Should I protect the salt before storing it in a database or use a pepper (secret salt) instead?

in flag

If I protected the salt or used a pepper (secret salt) and an attacker got access to the database he can't do a rainbow table attack on a targeted user (a famous or important person).

Should I use a pepper (secret salt) ? If yes, then:

  • how to make it unique accros all users or a group of users (not make it global and fixed) ?
  • how to store it safely without hard coding it ?

Or should I protect the salt ? If yes, which is better:

  • store a part of the salt securely ?
  • encrypt the salt itself ? (by this: Isn't the key used for encryption is somehow a pepper ?)
  • derive the salt from a safely stored secret ? (alse: isn't the used secret is somehow a pepper ?)
SAI Peregrinus avatar
si flag
Rainbow tables are prevented even by public salts.
Mohamed Waleed avatar
in flag
But when the attacker target a specific user, he might generate a rainbow table using the salt he cracked from the database.
SAI Peregrinus avatar
si flag
I think you're confused about what rainbow tables are. https://rsheasby.medium.com/rainbow-tables-probably-arent-what-you-think-30f8a61ba6a5 is a good explanation.
Score:2
si flag

Pick peppers the same way you pick cryptographic keys: use your OS's CSPRNG to generate a 16-32 byte (128-256 bit) pepper.

If your system has a Hardware Security Module (HSM) or secure enclave, you can store a single pepper for all users there. Otherwise you have to use a regular file, so set access permissions appropriately.

It's possible to have a pepper per user in some cases. For that, you typically can't use an HSM or secure enclave since you'll have too many entries for it, and also have to store which user goes with which pepper. So it might make things less secure instead of more secure.

Salts are non-secret by definition. Store the salt in the same database as the username and password hash. For all the current secure password hashing functions the salt is part of the password hashing algorithm's output, and so doesn't need a separate database column.

Whatever you do ensure you have a way to backup and restore the pepper(s). It won't be backed up by your database backups, after all! If it's lost your users can't log in. Remember that security is a combination of confidentiality, integrity, and availability, so don't let the pepper become a single point of failure.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.