Is it possible to use a value that constantly changes as salt for passwords?

Home » Programming & Design » Is it possible to use a value that constantly changes as salt for passwords?
Programming & Design No Comments

For example, using the last time a user logged in to salt the password. Or another changing value. Is this possible?
I thought it would just re-salt the password each time, but the user won't need to make a new one? (I'm not an experienced programmer, so I wouldn't really know, but this is just how I thought it would work).

Best Answer:

Robert J: The password has a salt string appended to it before hashing, both when originally saved and when one is being tested for validity, by using the same sequence and comparing the hash of the entered password with the stored hash.

If the salt is ever changed, the same passwords produce different hashes so never match the original, saved versions.

To be able to re-hash them you would need to save the plain text passwords – and the whole reason for using salted and hashed passwords is so the originals are _never_ saved, so can never be extracted in case of a security breach.

Other answer:

Robert J:
You could do this, each time a person logs in you temporarily have their password so you could re-salt it, but I don't see how this would make the system any more secure. The user still has the same password so if someone has stolen the password changing the salt won't make that password invalid.
Neither possible, nor practical, since you would need to manually change your password manually, and then the next time you logged on, your password would become obsolete as you change it again – and again – and again. And, as I stated, you would have to make this change manually.
If you can conceptualize it, it can be done.