http://www.perlmonks.org?node_id=11133826


in reply to Replacing crypt() for password login via a digest - looking for stronger alternative

In the comments of the article you refer to it says...

In a more real life scenario, $shash would likely be retrieved from the DB you use to maintain credentials.

When passwords are leaked, I have always assumed that someone has somehow maliciously extracted the data from the User (or equivalent) database table. From this they have got a list of email addresses and password hashes. But if the database table also has the salts in it, is it any more secure than just using a strong encryption algorithm without salting?

Personally I keep name and email address data in a different table to the user ID and encrypted passwords. That table exists in a different schema, albeit within the same RDBMS.