1

I'm a complete novice at this and in need of advice. I'm building an app that I've implemented a password encrypted backup feature into. I'm wondering about the best practice for handling the salt. With a centralised database I know that it's essential to have a random salt as a defence against hackers, but what about when there is no centralised database for a hacker to attack? Is it acceptable to hard code a salt into my app, or should it be randomly generated and then hardcoded into the outputted encrypted file?

Any advice much appreciated.

vquest
  • 21
  • 2

1 Answers1

3

The salt should be different for each user. It is therefor far more secure to attach the salt to the encrypted file than to have a fixed "salt". A fixed vale for the entire system, often called a "pepper" will still allow attacking multiple accounts together. To ensure you can't attack multiple accounts together use a different salt for each. If you don't have a DB, prepending the salt to the encrypted file next to an IV/nonce is reasonable.

Meir Maor
  • 12,053
  • 1
  • 24
  • 55