Distributed Password Salts For Security?

First "Do Not Create Your Own Password Storage & Verification" (unless you 'Know' what you are doing) instead of using an already established and proven library or algorithm and 'scheme'. But let's say you are using PBKDF2-sha256 which is very good, but like me you don't like how it stores the Salt in the database along with the hash and iterations. Well, on a project where I beefed up password security, on a 10+ year old website; the client's on staff developer came up with what I consider, one of the best Salt storage ideas. Then it was my job to make it real, and make is fast enough for production use. (I am not covering basic password security concepts here, just a slight modification, to increase complexity of obtaining all the data to compromise a users password)

Read More