Comments on: Do Passwords Right

By: fREW Schmidt

fREW Schmidt — Thu, 04 Feb 2010 18:47:23 +0000

@Andrew: I thought I made it clear that this scheme does use a unique salt per user. Sorry I wasn’t clear enough for you

@Michael: indeed.

By: Michael Peters

Michael Peters — Thu, 04 Feb 2010 14:38:13 +0000

Salts are only kept secret if they aren’t unique per-password. If you have a unique salt it’s typically stored as part of the hashed password, so that the encrypted password can be used as the salt when checking a login attempt to make sure they hash to the same thing.

By: Andrew Rodland

Andrew Rodland — Thu, 04 Feb 2010 07:28:38 +0000

Not “you can have a unique salt per password”. You *must* have a unique salt per password, chosen randomly when the password is set or reset, or none of the other stuff is even worth the time you spent on it.

Fortunately your example *does* get it right, so there isn’t any additional work to be done!