[aur-dev] [PATCH] Support for salted passwords

Loui Chang louipc.ist at gmail.com
Thu Apr 15 15:00:42 EDT 2010


On Mon 05 Apr 2010 09:50 -0400, Denis Kobozev wrote:
> Here's a patch that adds support for storing salted passwords in the
> database. The salt is a random string for each user and is stored
> along with the password in the Users table. Salt is created and
> password is salted when old users log in. New users get salted
> passwords when they register. What do you think?

Hi Denis. I thought the idea behind salt is that if someone gets the
database, they can't crack the passwords because the salt is secret.

If you include the salt in the database, then it wouldn't be much more
difficult to crack than the regular password hash, would it?  So how
would we go about keeping the salt secret if it's in the same database
as the password hashes?

I might not fully understand the concept though.



More information about the aur-dev mailing list