A "strong" salt

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Chalks
Forum Contributor
Posts: 447
Joined: Thu Jul 12, 2007 7:55 am
Location: Indiana

A "strong" salt

Post by Chalks »

What makes a salt "strong"?

A salt that I've used before is "56v2jxa9er73qse".
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

You want a maximum amount of entropy. You also want a salt long enough so that the hash must take at least two passes to complete the computation.
User avatar
Chalks
Forum Contributor
Posts: 447
Joined: Thu Jul 12, 2007 7:55 am
Location: Indiana

Post by Chalks »

The way I generated the salt was by using a random number/letter generator that I found online somewhere. Is that enough entropy?

Also, how long does my string need to be to force the hash algorithm to pass through it twice? I'm using your sha256 class and my string is a minimum of 27 characters.

Thanks :)





Edit: I'm not entirely sure what is meant by "entropy" in this context.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

SHA256 requires a minimum of 64 bytes of input to make two passes.

Entropy:
  1. Symbol S For a closed thermodynamic system, a quantitative measure of the amount of thermal energy not available to do work.
  2. A measure of the disorder or randomness in a closed system.
  3. A measure of the loss of information in a transmitted message.
  4. The tendency for all matter and energy in the universe to evolve toward a state of inert uniformity.
  5. Inevitable and steady deterioration of a system or society.
User avatar
Chalks
Forum Contributor
Posts: 447
Joined: Thu Jul 12, 2007 7:55 am
Location: Indiana

Post by Chalks »

As usual you've been very helpful.

Thanks, feyd.
Post Reply