Page 1 of 1
Salts
Posted: Sun Jul 01, 2007 9:40 pm
by superdezign
feyd directed me to an old, informative post on password security, and now I've absolutely got to add more security to my passwords. However, this whole salting business has me stumped.
As I understand it, you can make a salt out of basically any value, some selections being better than others. I saw the use of uniqid(), which looked promising in it's security, but it's generated based on time. Does that mean that I'd be able to create and add the salt, but then never recreate it? How would I check against passwords then?
Should I just use a piece of a user's data, and determine which piece I use based on their id or something?
Posted: Sun Jul 01, 2007 9:46 pm
by John Cartwright
The salt would never change, as it would be required to compare the original password to its equivilant hashed password. Don't use anything that is accessible to the outside world, like their ID, as it can be predicted and weaken your security.
Code: Select all
define('salt', 'jcart_secret_salt');
$password = md5(salt. 'jcartpassword');
Posted: Sun Jul 01, 2007 9:50 pm
by feyd
Salts can be universal and/or user specific. For example I typically use two salts. A user specific piece of data and a static piece that everyone gets. The major thing is the make sure the input to the hashing function is as long or longer than the compression values.
In SHA256, that's 512 bits (64 bytes); SHA1 it's 320 bits (40 bytes); MD5 it's 256 bits (32 bytes).
Posted: Sun Jul 01, 2007 10:04 pm
by superdezign
1 BYTE = 1 CHAR, right?
Is it smart to make the salt and then chop it a certain way? maybe split it in two and surround the original?
Posted: Sun Jul 01, 2007 10:10 pm
by feyd
superdezign wrote:1 BYTE = 1 CHAR, right?
In many latin based character sets, yes. Just remember there are multi-byte characters in many languages though.
superdezign wrote:Is it smart to make the salt and then chop it a certain way? maybe split it in two and surround the original?
I don't believe it matters all that much, but honestly, I don't know for sure.
Posted: Sun Jul 01, 2007 10:12 pm
by superdezign
Okay then. Thanks. ^_^
Posted: Sun Jul 01, 2007 10:16 pm
by John Cartwright
I like the idea of one concrete salt, and another user defined..

Hadn't thought of that before.