0

Is there an advantage as to where password hash and salt occurs, in PHP vs in a database? It seems having the process occur inside of a database would be the optimal solution; since the web server and the database would only have to exchange the password and not the salt.

Lloyd Banks
  • 35,740
  • 58
  • 156
  • 248
  • Passwords are sensitive. Salts are not, and exist solely to mitigate viability of [rainbow table attacks](http://en.wikipedia.org/wiki/Rainbow_table). – Matt Ball Mar 12 '13 at 01:48
  • Do you happen have a password-based key derivation function built into your database? – Waleed Khan Mar 12 '13 at 02:04
  • @llnk I don't see how this is a duplicate of the other question. The other question deals exclusively with which hashing method is best, not with where the hashing occurs – Lloyd Banks Mar 12 '13 at 13:19

2 Answers2

4

It's okay to store the salt in the database. It's an advantage to do so, because you want to use a different random salt per user.

I recommend doing the hashing in the application.

The reason is that if you do the hashing in an SQL expression, and you use query logging on the database server, you might be storing plaintext samples of the user passwords in the query log.

Bill Karwin
  • 538,548
  • 86
  • 673
  • 828
0

If you're using something better than a simple hash + salt, like PBKDF2, you're going to have to involve PHP at this point AFAIK. So in terms of best location, for me, the best location is in the code because that's where you can do the "best" method of password hashing.

Mark Stanislav
  • 979
  • 4
  • 11