Page 1 of 1

Pasword Salt

Posted: Tue Oct 11, 2011 11:55 am
by Pazuzu156
I'm getting a membership site put up soon, and I already have user registrations and logins. I hash the passwords using sha1, but how do i salt my passwords for extra security?

Re: Pasword Salt

Posted: Thu Oct 13, 2011 1:44 am
by Mordred
Check the article/discussion in my sig and come back for questions ;)

Re: Pasword Salt

Posted: Thu Oct 13, 2011 5:43 am
by Apollo
Pazuzu156 wrote:I'm getting a membership site put up soon, and I already have user registrations and logins. I hash the passwords using sha1, but how do i salt my passwords for extra security?

Code: Select all

$h = hash( 'whirlpool', $password.'n2m#E9S(hqdJH-ir8!7m/D5bk4_iQ'.$userId );
($userId being some unique ID per user that doesn't change, you could also use their registration timestamp for example)

But better read Mordred's article anyway :)

Re: Pasword Salt

Posted: Thu Nov 10, 2011 1:36 am
by JimJiang
You can use

Code: Select all

$md5_password=md5(md5($pasword).'salt');
:P

Re: Pasword Salt

Posted: Thu Nov 10, 2011 1:43 am
by Benjamin
JimJiang wrote:You can use

Code: Select all

$md5_password=md5(md5($pasword).'salt');
:P
This is not proper because it reduces security by increasing possible collisions.

Re: Pasword Salt

Posted: Thu Nov 10, 2011 1:51 am
by Mordred
While technically this is true, the increased chance of a collision is still so very very close to zero. With passwords we mostly care for the "one-way" property, not the "hard-to-collide" property of the hash functions.