feyd directed me to an old, informative post on password security, and now I've absolutely got to add more security to my passwords. However, this whole salting business has me stumped.
As I understand it, you can make a salt out of basically any value, some selections being better than others. I saw the use of uniqid(), which looked promising in it's security, but it's generated based on time. Does that mean that I'd be able to create and add the salt, but then never recreate it? How would I check against passwords then?
Should I just use a piece of a user's data, and determine which piece I use based on their id or something?
Salts
Moderator: General Moderators
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
The salt would never change, as it would be required to compare the original password to its equivilant hashed password. Don't use anything that is accessible to the outside world, like their ID, as it can be predicted and weaken your security.
Code: Select all
define('salt', 'jcart_secret_salt');
$password = md5(salt. 'jcartpassword');- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
Salts can be universal and/or user specific. For example I typically use two salts. A user specific piece of data and a static piece that everyone gets. The major thing is the make sure the input to the hashing function is as long or longer than the compression values.
In SHA256, that's 512 bits (64 bytes); SHA1 it's 320 bits (40 bytes); MD5 it's 256 bits (32 bytes).
In SHA256, that's 512 bits (64 bytes); SHA1 it's 320 bits (40 bytes); MD5 it's 256 bits (32 bytes).
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
In many latin based character sets, yes. Just remember there are multi-byte characters in many languages though.superdezign wrote:1 BYTE = 1 CHAR, right?
I don't believe it matters all that much, but honestly, I don't know for sure.superdezign wrote:Is it smart to make the salt and then chop it a certain way? maybe split it in two and surround the original?
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact: