Where to get salt when hashing passwords?

191 views Asked by At

I learned that I need to use salt so that same passwords won't show in database.

But where to get the salt? I cannot use one for all as it wouldn't help anything. I can generate a random one, but then the hash would be different every time and nobody would log back in.

So I found suggestion to use cryptographically safe RNG and store the salt with user.

But I would have to make the table larger for that. Can't I use the same hashing function to hash the username and use that as the salt for password? It should be cryptographically safe since I use cryptographically safe hashing function for hashing passwords right?

1

There are 1 answers

2
Wolfgang Brehm On BEST ANSWER

Typically you generate a different (not necessarily random) salt for each password once and store it alongside the hash.

Generating the salt from the username to generate the salt is sufficient if the usernames are unique. You don't really gain anything (but you don't really loose anything either) by using a cryptographic hash function to generate the salt, uniform distribution is sufficient. Even just using the usernames as is will prevent the same passwords showing up in the database, but it will not harden it against rainbow table attacks as much as a salt with a wider distribution would.