Should the Salt for a password Hash be “hashed” also?

Question

This I think may be a silly question, but I have become quite confused on what I should do here for the best.

When salting a password hash, should the salt also be h

Answer 1

No you must not hash the salt. The salt is in clear text and it is needed to you to recompute the password and check it with the one stored in the hashed password file.

But if you need a strong salting procedure you can compute your salted password in this manner:

SaltedHashedPwd = H(H(H(H(.....H(PWD-k+SALT-k)+SALT-k)+SALT-k).....)+SALT-k+N

H is the hash function SALT-k is a k-random string you use as salt PWD-k is the k-password (every Password has a different salt) N is the iterations number you compose the H function

In the PKCS#5 standard it uses N=1000!

In this manne a Dictionary attack is not possible because for every word into the Dictionary and for every SALT into the password file, the attacker needs to compute the Hash. Too expansive in time!

I think that N=100 should be enough for your uses :-)