How do I salt & pepper passwords?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
JAB Creations
DevNet Resident
Posts: 2341
Joined: Thu Jan 13, 2005 6:44 pm
Location: Sarasota Florida
Contact:

How do I salt & pepper passwords?

Post by JAB Creations »

First off I read this thread by Mordred which I think was awesome. I've been working on a lot of authentication related stuff and I'm far from posting anything live or in the critique forum for a while however it's now or never with securing passwords on my test databases.

I think I grasp the fundamental aspects of salt and pepper. In my head at least I'm thinking a universal salt in PHP and a per user pepper obviously stored in the MySQL database. I just am not sure what code /functions are used to add the salt and pepper?

Here is an example of a SHA256 Hash...

Code: Select all

hash("sha256", $data, false);
...what would I do to add $salt and $pepper to it?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: How do I salt & pepper passwords?

Post by Mordred »

Any way you like, as long as all three values enter the hash; even string concatenation will do:

Code: Select all

hash("sha256", $salt.$data.$pepper, false);
User avatar
JAB Creations
DevNet Resident
Posts: 2341
Joined: Thu Jan 13, 2005 6:44 pm
Location: Sarasota Florida
Contact:

Re: How do I salt & pepper passwords?

Post by JAB Creations »

The hash part I wasn't sure about however the concatenation obviously makes sense.

Thanks for your reply and the other thread that you started! I've actually have been thinking about creating a column count that counts unsuccessful authentication attempts and freezes the account for administrative review as a way to prevent brute forcing on my site. Then if (because of the fact that bots don't need to jump through loops) if the bot is still posting authentication where for example a user would not have the GUI capability to do so in the browser I could add the IP to a freeze or suspect list. There are just endless ways to determine abuse through various patterns. :)
User avatar
arjan.top
Forum Contributor
Posts: 305
Joined: Sun Oct 14, 2007 4:36 am
Location: Hoče, Slovenia

Re: How do I salt & pepper passwords?

Post by arjan.top »

I would go the "google" way, not locking the account ...

just show captcha after many unsuccessful authentication attempts
User avatar
JAB Creations
DevNet Resident
Posts: 2341
Joined: Thu Jan 13, 2005 6:44 pm
Location: Sarasota Florida
Contact:

Re: How do I salt & pepper passwords?

Post by JAB Creations »

There are two reasons I won't...

1.) I am interested in designer development. Developers make code that does stuff, designers take something and make it so that it does it in the way you want. Therefor as users encounter errors or dead ends where I fail to take certain circumstances in to consideration I can adapt my work/site as so catching more people in the future with every instance. I usually code this way to begin with and while even the most indepth coders will still have some holes in their code I can at least become aware of any issues by having my code make me aware of where it's own short-comings are.

2.) Google? That's like saying I should use Internet Explorer the browser in the day and age where security holes are found in literally hours of software release ...when it didn't change for five years and had a 99% market share; both share a universal and thus very high market shares. Why would I want to use the absolute most targeted methods being target by hackers to prevent...hacking?
Post Reply