0

Possible Duplicate:
Secure hash and salt for PHP passwords

I want to generate a random salt and then store it along with the password in the user database. So something like this I think.

$salt = //random salt code
$hpassword = crypt($password,$salt)
Community
  • 1
  • 1
Travis Nabbefeld
  • 393
  • 3
  • 7
  • 14

2 Answers2

1

Version 5.5 of PHP will have built-in support for BCrypt, the functions password_hash() and password_verify(). For PHP version 5.3.7 and later, there exists a compatibility pack, and there you can find a good implementation of how to create a salt using the function mcrypt_create_iv(), see lines 86 and 121.

Because of this compatibility pack, you should also consider to use this functions directly, instead of writing your own, here you can find an example. Especially the creation of the salt for BCrypt is a tricky thing, and one can make a lot of mistakes.

P.S. A salt should be as random as possible (read from the random source of the operating system), because that's the best way to make it unique and unpredictable on a deterministic computer.

Community
  • 1
  • 1
martinstoeckli
  • 23,430
  • 6
  • 56
  • 87
0

Try Hashing an existing field (such as username) and use that for the salt.

Try here: http://en.wikipedia.org/wiki/PBKDF2

boruch
  • 453
  • 3
  • 16
  • 3
    Some people say you should not use an existing field, but have a random salt: http://stackoverflow.com/a/2248920/14955 – Thilo Jan 17 '13 at 04:27
  • Others disagree :) if the cipher is strong enough (recursive hashing) Rainbow Tables become useless. (On the other hand if your stored salts are compromised, say goodbye to your passwords if your'e using weak algorithm)... – boruch Jan 17 '13 at 04:31
  • what about scrambling the existing field first with your own algorithm before using it as a salt? – Nicolas Brown Jan 17 '13 at 04:41