Re: Newbie Salt and Pass Phrase Question.



Kristian Gjøsteen wrote:
Larry Lindstrom <nobody@xxxxxxxxxxx> wrote:
That makes sense. The salt has to be secret, where can it
be kept so the use has to only remember the pass phrase?

Ah. I generally interpret a salt to be a non-secret value. If you have
good passwords, having a non-secret salt isn't so bad.

If you want it to be secret, then it has to be _secret_. Storing it
somewhere obscure is not good enough. A common strategy is storing
it on a memory stick or something similar. The user inserts the stick
when he wants to access the database and removes it when he is done.
The software shuts down when the memory stick disappears. (The device
can be tied to the users' trousers to enforce this rule...)

Thanks again Kristian:

Don't forget the "Newbie" in the subject line.

The salt for generating PKCS 5 algorithm 2 keys doesn't
need to be secret?

If that's the case, will it be secure to generate one
salt for my application and use the same salt for every
user?

That would solve the problem.

Thanks
.