Unique generated SALT for each user?

Question

I'd like to ask if it's possible to generate a unique salt for each user and then hash it like sha1(sha1($password . $salt)) so the $salt is a randomly generated string?.

If yes, how would I encrypt the password on login?

Xenforo uses this, and I am wondering how are they encrypting the passwords if they are using unique salt for each user?.

Many thanks.

http://stackoverflow.com/a/2235548/251311 – zerkms Mar 25 '13 at 00:36 — zerkms, Mar 25 '13 at 00:36

Blender · Accepted Answer · 2013-03-25T00:49:14.373

Don't make your own password hashing algorithm. It's going to be easily crackable and your users won't appreciate their passwords being stolen when your database is compromised.

Bcrypt and other well-tested hashes do this already:

>>> bcrypt.generate_password_hash('password', 15)
    '$2a$15$bzaLXuer1C8dtSckDp3AI.eOoL/nOTsSdpjEMyDMcJ3ZQELdRcLzq'
>>> bcrypt.generate_password_hash('password', 15)
    '$2a$15$Ye.cFInKhzo1KvAJGSi6yORV5uEqeW.Z1oAhdfi.163Psz4YPA3CO'

The random salt and the number of rounds are stored within the hash itself, separated by a delimiter, which lets the constant-time password checking function pick the salt out of the resulting hash string.

If for some other reason you need to create secure random strings, use openssl_random_pseudo_bytes():

$bytes = openssl_random_pseudo_bytes(64, true);
$hex = bin2hex($bytes);

Unique generated SALT for each user?

1 Answers1