AdrianRossouw
commented
8 years ago I'm not sure this is necessary, because I did some research and the way we do it now (each user having their own salt, stored in the table) is considered correct. Apparently this is how Django does it by default.
the original requirement reads:
Password storage is through a salted hash with the iteration count configurable and updatable during the lifespan of the application
So it seems like only the iteration count needs to be stored.
Password should be configurable and can be changed.