what is best possible way of salting and storing salt?

Question

Hi guys I have read about password salting, but this might sound a little odd. But how do I store and secure the salt. For example in a multi tire architecture say I use the

Answer 1

Storing the salt unencrypted in the database next to the hashed passwords is not a problem.

The purpose of the salt is not to be secret. It's purpose is to be different for each hash (i.e. random), and long enough to defeat the use of rainbow tables when an attacker gets his hands on the database.

See this excellent post on the subject by Thomas Ptacek.

edit @ZJR: even if the salts were completely public, they would still defeat the benefit of rainbow tables. When you have a salt and hashed data, the best you can do to reverse it is brute force (provided that the hash function is cryptographically secure)

edit @n10i: See the wikipedia article for secure hash function. As for the salt size, the popular bcrypt.gensalt() implementation uses 128 bit.

Answer 2

Please take a moment to read this very good description of salts and hashing

Salt Generation and open source software