How much salt security is too much salt security

Question

When does salting passwords become too secure? I have a couple of functions that Encrypt and Decrypt as users passwords, but I am concerned if it might be overkill.

First I have my encryption method which takes the encrypted password and the salt and puts it all in one string (up to 256 Characters) in my database. In addition to that it actually only encrypts the password with a 32 Character string of my original 128 Character Salt String, which the function chooses at random.

    Public Function EncryptPassword(Password As String) As String

        Dim EPassword As String = String.Empty

        ' Generate Random 128 Base64 Salt String
        Dim Salt As String = Var.Simple3Des.GenerateSalt

        ' Divide into Substrings, and combine into splitable string
        Dim SmallSalts As String = Salt.Substring(0, 32) + "." + Salt.Substring(32, 32) + "." + Salt.Substring(64, 32) + "." + Salt.Substring(96, 32)

        ' Create the Salt Array
        Dim SaltArray = Split(SmallSalts, ".")

        ' Randomly Choose part of the array to actually use as salt
        Dim rnd As New Random
        Dim TrueSalt As String = SaltArray(rnd.Next(0, SaltArray.Length))

        ' Encrypt The Password
        Dim Security As New Var.Simple3Des(TrueSalt)
        EPassword = Security.EncryptData(Password)

        ' Divide up the salt and password and place into same string
        Dim PasswordString As String = Salt.Substring(0, 16) + EPassword.Substring(0, 6) + Salt.Substring(16, 112) + EPassword.Substring(6, EPassword.Length - 6)

        Return PasswordString

    End Function

I then use the same formula to Decry-pt the password, by trying all possible sub-string combinations until it finds the right one.

 Public Function DecryptPassword(NtID As String)

            ' Grab The Users Encrypted Password
            Dim UserID As Integer = GetAppUserID(NtID)
            Dim User As Users = Var.db.Web.Users.Find(UserID)
            Dim EPassword = User.Password

            ' Divided the Encrypted Password Into Salt and Actual Password
            Dim Salt As String = EPassword.Substring(0, 16) + EPassword.Substring(22, 112)
            Dim Password As String = EPassword.Substring(16, 6) + EPassword.Substring(134, EPassword.Length - 134)
            Dim DPassword As String = String.Empty

            ' Try each substring of Salt until password is Decrypted.
            Try
                If DPassword = String.Empty Then
                    Dim Security As New Var.Simple3Des(Salt.Substring(0, 32))
                    DPassword = Security.DecryptData(Password)
                End If
            Catch ex As Exception
                DPassword = String.Empty
            End Try

            Try
                If DPassword = String.Empty Then
                    Dim Security As New Var.Simple3Des(Salt.Substring(32, 32))
                    DPassword = Security.DecryptData(Password)
                End If
            Catch ex As Exception
                DPassword = String.Empty
            End Try

            Try
                If DPassword = String.Empty Then
                    Dim Security As New Var.Simple3Des(Salt.Substring(64, 32))
                    DPassword = Security.DecryptData(Password)
                End If
            Catch ex As Exception
                DPassword = String.Empty
            End Try

            Try
                If DPassword = String.Empty Then
                    Dim Security As New Var.Simple3Des(Salt.Substring(96, 32))
                    DPassword = Security.DecryptData(Password)
                End If
            Catch ex As Exception
                DPassword = String.Empty
            End Try

            Return DPassword
        End Function

My question is A. Aside from possible perfomance issues, what other dangers does this method pose?
B. Is this overkill, is salting and storing the salt/password like this even necessary? C. If this is unnecessary what other methods could I use to salt and store salt/password?

Answer 1

Here is a great site that talks about the sort of thing you are interested in: https://crackstation.net/hashing-security.htm. The overall point of what they say is that:

1. If you are not careful yourself, messing with algorithms that are crafted to be secure can actually reduce their security.
2. It is overkill because you have to assume that an attacker will get your code before they can crack your database, so they will know your scheme.
3. Simply storing the hash and the salt should be fine. That is sort of the point of the hash and the salt.

I have used the crackstation page as a general reference on hashing security quite often. I highly recommend reading it as will probably contain plenty of information that you will find relevant and that I omitted here.