I apologize for being naive, but it 's only recently that I' ve started learning cryptography and online security.
From what I understood, the safest way, without sacrificing efficiency, to safely store a password is to add a pepper, to generate a salt random, then chop all three (password + pepper + salt).
When a user tries to connect, the program then checks to see if the hash matches the one in the database associated with the user name. Since you need a salt (and a firm code pepper) to chop the password with any hope of success …
- Do you need to try to chop each salt into your database?
- If you have a million salts, would not it be very slow?
- Is there a better way to do this?