I'm starting to design a database to use in a web solution and would like to understand if there is any benefit to storing passwords (and the rest of the user information for that matter) in a separate table to the table with the user id.
Web Database – How to store user information
database-design
Related Question
- Mysql – Design for user profile information and track changes
- Sql-server – Database design for web mail client
- PostgreSQL – How to Model Database Structure for Storing Words Information
- How best to store complex cost information
- Database Design – Best Way to Store Material Information and Quantities
- Database Design – One Field vs Multiple Fields for ID Reference
Best Answer
The one benefit for storing passwords in a separate table, if you have a db that supports this, is you can use a security definer function to read the passwords, and this prevents sql injection or the like from reading it in other queries. Think of it as being like the /etc/shadow file on Linux. Of course this is in addition to salted hashes.
This being said I am of the opinion you should really avoid storing passwords in your database. The less of this sort of thing your app does the less you have to worry about security-wise. Outsource it to OpenID providers, etc. or if it is an intranet app, something like LDAP, AD, or the like.