Salting: Is it reasonable to use the user name?

Question

I am debating using user-names as a means to salt passwords, instead of storing a random string along with the names. My justification is that the purpose of the salt is to prev

Answer 1

I don't see a problem with utilizing the username as the salt value.

A more secure way of storing passwords involves using a different salt value for each record anyway.

If you look at the aspnet_Membership table of the asp.net membership provider you'll see that they have stored the password, passwordsalt, and username fields in pretty much the same record. So, from that perspective, there's no security difference in just using the username for the salt value.

Note that some systems use a single salt value for all of the passwords, and store that in a config file. The only difference in security here is that if they gained access to a single salt value, then they can more easily build a rainbow table to crack all of the passwords at once...

But then again, if they have access to the encrypted form of the passwords, then they probably would have access to the salt value stored in the user table right along with it... Which might mean that they would have a slightly harder time of figuring out the password values.

However, at the end of the day I believe nearly all applications fail on the encryption front because they only encrypt what is ostensibly one of the least important pieces of data: the password. What should really be encrypted is nearly everything else.

After all, if I have access to your database, why would I care if the password is encrypted? I already have access to the important things...

There are obviously other considerations at play, but at the end of the day I wouldn't sweat this one too much as it's a minor issue compared others.