1

So after researching this quite a bit I'd like to know if this is the best practices way of doing it or not.

When I send the user's password to the DB I'm doing this:

// DB input:

$mySalt = time(); // generate random salt such as a timestamp
$password = crypt($_POST['password'], $mySalt);
// submit $password and $mySalt to DB here via PDO

And when I go to check the password at login I'm doing this:

// At login:

// retrieve the password and the salt from the DB
if(crypt($_POST['password'], $saltFromDb) === $passFromDb)
// allow login

Would this be the correct way to do that or am I missing something? Thank you for any advice.

Matt Whitehead
  • 1,743
  • 3
  • 19
  • 34

1 Answers1

2

What you need instead is to use the inbuilt salting and hashing functions supplied within crypt. Here is an example using a good hashing algorithm call blowfish (bcrypt): How do you use bcrypt for hashing passwords in PHP?

In this case the slower the algorithm the better.

When getting it from DB you would simply use crypt() to evaluate the entire string to understand if it validates as the correct password etc.

Community
  • 1
  • 1
Sammaye
  • 43,242
  • 7
  • 104
  • 146
  • 1
    "time() is a bad salt." --- any further explanations? – zerkms Aug 08 '12 at 23:43
  • @zerkms Taken it out cos I am not sure about my theory on it, however my theory is the because it is a steady increasing int it is not as powerful as ones provided by the likes of that in the answer I linked. – Sammaye Aug 08 '12 at 23:46
  • Thank you for your answer. So are you saying there is no need for $saltFromDb in the login part? If so, how does the function get the proper password string without knowing the salt? – Matt Whitehead Aug 08 '12 at 23:48
  • @Freethinker It bundles the salt within the hash string, read the answer I linked it will become clear. – Sammaye Aug 08 '12 at 23:49
  • @Sammaye: even though it is completely correct - it is never a good idea to advice something you're not entirely sure about ;-) – zerkms Aug 08 '12 at 23:53
  • @zerkms Indeed :) thanks for pointing it out. I did delete the explanation however it appears I didn't delete the line itself. – Sammaye Aug 08 '12 at 23:54
  • @Sammaye: actually what's "bad" with time() as a salt is its "predictability". The really good salt should be unpredictable and different for each row. But in real life it's not that dangerous. So from my personal point of view - the totally random salt is better, but even time() is good for 99% of projects – zerkms Aug 08 '12 at 23:57
  • @zerkms Yea I suppose it's all down to the paranoia of the individual. I have a high paranoia so I avoid `time()`. – Sammaye Aug 08 '12 at 23:59
  • @Sammaye What about using time() with a modifier like time() + some random number or letter? That way its a unique salt but not just a steadily increasing int...? – Matt Whitehead Aug 09 '12 at 02:09
  • @Freethinker Yea that's random enough but then you might as well use the random byte range given by the answer, that's taken from the PHP hash framework so it is community tested. – Sammaye Aug 09 '12 at 07:05