Newbie Salt and Pass Phrase Question.

Hi Again.

I'm using LibTomCrypt for my first crypto enabled app.
It's a Database app, so communication security issues,
like PKI, aren't problems.

While I have been doing some reading, and sat through
the U Dub lectures, the most practical crypto text has been
Tom's LibTomCrypt documentation. It seems to have
everything a math impaired, crypto ignorant, newbie needs.

Tom recommended PKCS 5 algorithm 2 in an earlier thread
but I wasn't using PKI, and I hadn't read down to the
password part of the LibTomCrypt documentation, so I didn't
realize the relevance of that suggestion to my situation.

Tom's explanation and examples make perfect sense, and
I'm convinced that all pass phrases should be salted and
hashed.

But I think this is the situation.

Users can remember their pass phrases. Users can't
remember a 32 char hash of their salt and pass phrase.

These users aren't going to carry around smart cards
to use the application.

Where are users going to keep this hash? I'm guessing
on their computer somewhere. Perhaps keeping this in some
obscurely named file in a remote directory is OK.

This application will store names, addresses, phone
numbers, email addresses and similar personal data.

Future versions may need to store Social Security and
credit card info, but I might be able to make some demands
on that audience regarding security.

Is there a secure method that requires users to remember
nothing more than their passwords?

Thanks
Larry
.