Securely storing user passwords

I'm considering how to secure passwords.
Please correct me if anything appears wrong, or add things if I've missed something.

1) Store the salt in a different place(database) than the password hashes. If password hashes are stolen, salt isn't necessarily.
2) Use sha1() instead of md5() for hashes. (Storing in mysql) because sha is more resource-consuming to break than md5s.
3) What considerations should be made when choosing a salt?
4) Would it in any way make sense to trunc the sha's to 32 chars, making them look like a md5 hash?
Who is Participating?
askbConnect With a Mentor Commented:
1. Storing salts separatly in a different database does not increase the strength of the password / hash. Only the output hash/digest needs to be stored in the db for verifying the user. Note: that another added security - if you are using something like md5sum - would be that the added advantage of have the digest/hash in the database would also imply that the attacker would have to reverse the hash string to a string which equates to "pwd + salt". This would be same as finding an invariable length input string given and variable length output 128 bit hash.

2. yes - sha1 is better, and if you are considering some PKI stuff you could also try HMAC

3. Salt - can be master password/pin or any random bytes. This is what my scripts do:
md5sum(User ID + Pass + Master Pass (SALT)) = hash
NOTE: Salt can be a secondary pass or a pin number
Salts have many uses -

4. Not advisable - as you would be increasing the possibilies for a collision.   Assume that
1. sha1(a+B+C) = 4e1243bd22c66e76c2ba9eddc1f91394e57f9f83
2. sha1(ZZZ+B+C) = 4e1243bd22c66e76c2ba9eddc1f91394e57f9f82

Now if 1 and 2 gets truncated would be = 4e1243bd22c66e76c2ba9eddc1f91, see that last bit/char out the output digest could be diffirent.
letharionAuthor Commented:
Also, if one stores sha(username + password + salt), two users can have the same password, and still not the same hash. A good idea?
letharionAuthor Commented:
That pretty much answers my question :)

Thank you very much.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.