For security, passwords for both admin accounts and front end users (customers) are salted and hashed before being stored in the database.

For the salting, we use two separate salt values. The first is a global value, typically set during installation of Kartris, and is stored in the web.config file of the site. For example:

The second salt value is generated per-user, and stored with the user record. It's generated at the time a user record is created, or if the password is changed.

It is stored in the U_SaltValue field of the tblKartrisUsers table, or for back end admins, the LOGIN_SaltValue field of the tblKartrisLogins table.

Before hashing user and login passwords, the first salt string is appended to the front, and the second to the end of the user's chosen password. This whole string is then hashed using sha-256, and the result stored in the database (U_Password in the tblKartrisUsers table and LOGIN_Password in the tblKartrisLogins table).

Salting the passwords prior to hashing ensures that rainbow tables or similar methods cannot be used to brute force the passwords from the database, if it was ever obtained by an attacker. Or to put it another way, if two or more users choose an identical password, these will result in entirely different values being stored in the password field of the database (because both will have different per-user salt text appended before hashing).

Furthermore, the use of two salt strings, one which is stored in the database record and one that is stored in the web.config file adds an additional level of security, as there are two separate elements in different storage locations that would need to be obtained.

When a user logs into the site, the password they enter has the global and per-user hashes applied, the resulting string is hashed with sha-256 and compared to the stored value in the database. If they match, the password entered is correct, if they don't match, it is not and the user is not granted access.