Salts

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Salts

Post by superdezign »

feyd directed me to an old, informative post on password security, and now I've absolutely got to add more security to my passwords. However, this whole salting business has me stumped.

As I understand it, you can make a salt out of basically any value, some selections being better than others. I saw the use of uniqid(), which looked promising in it's security, but it's generated based on time. Does that mean that I'd be able to create and add the salt, but then never recreate it? How would I check against passwords then?

Should I just use a piece of a user's data, and determine which piece I use based on their id or something?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

The salt would never change, as it would be required to compare the original password to its equivilant hashed password. Don't use anything that is accessible to the outside world, like their ID, as it can be predicted and weaken your security.

Code: Select all

define('salt', 'jcart_secret_salt');

$password = md5(salt. 'jcartpassword');
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Salts can be universal and/or user specific. For example I typically use two salts. A user specific piece of data and a static piece that everyone gets. The major thing is the make sure the input to the hashing function is as long or longer than the compression values.

In SHA256, that's 512 bits (64 bytes); SHA1 it's 320 bits (40 bytes); MD5 it's 256 bits (32 bytes).
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

1 BYTE = 1 CHAR, right?

Is it smart to make the salt and then chop it a certain way? maybe split it in two and surround the original?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

superdezign wrote:1 BYTE = 1 CHAR, right?
In many latin based character sets, yes. Just remember there are multi-byte characters in many languages though.
superdezign wrote:Is it smart to make the salt and then chop it a certain way? maybe split it in two and surround the original?
I don't believe it matters all that much, but honestly, I don't know for sure.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Okay then. Thanks. ^_^
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

I like the idea of one concrete salt, and another user defined.. :) Hadn't thought of that before.
Post Reply