问题
I've seen various methods on how to properly salt a password. The basic premise is that you attach a random string to each password before it is hashed and stored. Can I store the salt in the same table as the password? Also, does it matter if the salt is stored as plain text, as long as each entry has a different salt?
回答1:
Yes. The idea behind a salt is not that the salt be secret, but that it causes the same password for different users to be hashed differently. This raises the size of needed rainbow tables for cracking, or forces a dictionary (or other) attack to be ran against every password separately.
回答2:
The point of salting is that no one has the same hash as users have same password, just putting their username in front of the password then hashing it would be enough.
来源:https://stackoverflow.com/questions/4167604/how-to-store-password-salt