-2

I'd just like to know if this script is secure enough for a password encryption:

<?php

$password    = 'password';
$salt        = '9awd8n12jok1llawawf';

$new         = hash($password . $salt, 'ripemd160');
final        = strrev($new);

?>

Thanks.

user1453094
  • 373
  • 2
  • 7
  • 13

2 Answers2

3

Don't use the same salt for every password. Normally what you'll want to do is use some replicable value as the salt. For example, some hash of the user id (if the user id never changes), or some random string that you save with the user account information. The salt should never be visible to the end user.

King Skippus
  • 3,801
  • 1
  • 24
  • 24
  • Just to be clear, it's not a heinous security violation if the salt is visible to the end user. It might make cracking the user's password a little easier, but as long as you're not revealing *all* salts to users, it shouldn't be a big deal. But practically speaking, there should never be a reason that the salt is visible to the end user, I'm just saying don't encode it in a cookie or anything, it should only be used server-side. – King Skippus Jul 05 '12 at 16:30
1

if you want to provide even more security, store the users register timestamp and use that for a hash salt. That way the hash salt is more random and your data a bit more secure.

Tschallacka
  • 27,901
  • 14
  • 88
  • 133