PHP - Should Salt be stored in a database or code?
Posted on 2016-08-19
I am setting up password encryption using PHP blowfish.
The tutorial I am following suggests having individual user generated salts stored in the database instead of a single salt in the php code. I understand that individual salts for each user is good, but doesn't that mean that if a hacker got access to the database they would have access to both the hashed salt and hashed password? Isn't it safer to separate them. I have looked at Wordpress code and they seem to have the salt in the php wp-config.php file, unless I have missed something?
Which is better?