Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
I'm a little confused on how the automatic salt is supposed to work for the new PHP5.5 functions for hashing. The manual says: [text]It is strongly recommended that you do not generate your own salt for this function. It will create a secure salt automatically for you if you do not specify one. [/text]
This is something I've always used something like:
to build. Then I store the salt separately along with the password for verification later.
How does this work with allowing PHP to manage the salts? Or is this "secure salt" really a site-wide salt which is more like a pepper? Where does it get stored?
Note that password_hash() returns the algorithm, cost and salt as part of the returned hash. Therefore, all information that's needed to verify the hash is included in it. This allows the verify function to verify the hash without needing separate storage for the salt or algorithm information.
Right, but I don't see how that is supposed to help slow down rainbow table bruteforce attacks. The idea of the salt is to help strengthen each individual password with its own randomness. So every password is hashed with a fresh salt. These have to be stored somewhere and applied when verifying the password.
I would have to assume that password_hash reuses the same salt each time as it couldn't store a hidden salt somewhere every time it hashs. To me this means it is using some kind of pepper scheme, not a salt.
I read the author's description, so I guess I'll go in and have a look at the source code.
Thanks. I saw that after looking through the source. That $2y is blowfish $10 is the cost then the salt+hash. My meager cryptography knowledge confused me with the language of the description that the "salt is included in the hash". I was thinking along the lines of other php hash functions