Pasword Salt

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Pazuzu156
Forum Contributor
Posts: 241
Joined: Sat Nov 20, 2010 9:00 pm
Location: GA, USA
Contact:

Pasword Salt

Post by Pazuzu156 »

I'm getting a membership site put up soon, and I already have user registrations and logins. I hash the passwords using sha1, but how do i salt my passwords for extra security?
- Kaleb Klein
------------------------------------
Web Developer | Software Developer
https://kalebklein.com
PGP Key: https://keybase.io/pazuzu156
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Pasword Salt

Post by Mordred »

Check the article/discussion in my sig and come back for questions ;)
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Pasword Salt

Post by Apollo »

Pazuzu156 wrote:I'm getting a membership site put up soon, and I already have user registrations and logins. I hash the passwords using sha1, but how do i salt my passwords for extra security?

Code: Select all

$h = hash( 'whirlpool', $password.'n2m#E9S(hqdJH-ir8!7m/D5bk4_iQ'.$userId );
($userId being some unique ID per user that doesn't change, you could also use their registration timestamp for example)

But better read Mordred's article anyway :)
JimJiang
Forum Newbie
Posts: 5
Joined: Wed Nov 09, 2011 7:32 am

Re: Pasword Salt

Post by JimJiang »

You can use

Code: Select all

$md5_password=md5(md5($pasword).'salt');
:P
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Pasword Salt

Post by Benjamin »

JimJiang wrote:You can use

Code: Select all

$md5_password=md5(md5($pasword).'salt');
:P
This is not proper because it reduces security by increasing possible collisions.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Pasword Salt

Post by Mordred »

While technically this is true, the increased chance of a collision is still so very very close to zero. With passwords we mostly care for the "one-way" property, not the "hard-to-collide" property of the hash functions.
Post Reply