0

I am busy with a user authentication class for my framework and I currently use code I got from a tutorial a while ago. As with most programmers I feel I need to understand what the code does and want to modify it to be more secure. I found with the version below it fails on a Mac so I need to rewrite it. Here is my previous method in my authentication class (used to register an account:

 // security is a config file with a global salt in $security->security_salt
 public function generate_crypt($password) {
    $security = new security();
    $crypt_salt = '$6$rounds=5000$' . uniqid() . "$";
    $password = $password . $security->security_salt;
    return crypt($password, $crypt_salt);
}

Now the example above only uses 1 global salt, and I feel it would be better if I had a seperate salt for each user, so effectively I am thinking of changing it to:

/*
 * properties below are from methods, I am just putting it as
 * seperate variables to be understood a little better:
 *
 */

 private function generate_user_salt() {
       return hash('sha512',uniqid());
 }

 private function generate_crypt($password, $user_salt) {
    $security = new security_config();
    $password = $password . $security->security_salt;
    return crypt($password, $user_salt);
}

private register() {
      $user_salt = $this->generate_user_salt();
      $password = $this->generate_crypt($_POST['password'],$user_salt);
      // Write user to database where `salt`=>$user_salt and `password`=>$password;
}

To authenticate I would then do:

 // Data is retrieved from database and stored in a $this->credentials array property:
 private function validate_password() {
    $security = new security_config();
    $salted_password = $_POST['password'] . $security->security_salt;
    if (crypt($salted_password, $this->credentials['salt']) == $this->credentials['password']) {
        return true;
    }
}

I have tested the above and it appears to be work correctly, however, is this the correct way of using crypt() and is it secure at all? I am trying to use 2 salt strings so that even if there was a security bridge and someone obtained the users salt they still need the salt located in the file.

I am looking to utilise the maximum amount of realistic security without having issues in different platforms not support certain functions or algorithms.

Is this safe and / or should I be using different methods?

mauzilla
  • 3,574
  • 10
  • 50
  • 86
  • You can generate a random salt every time, as displayed in the PHP manual on [`crypt`](http://www.php.net/manual/en/function.crypt.php)'s page. – dialer Apr 09 '13 at 17:01
  • @dialer: if crypt was to generate a random salt directly by using crypt($pass); how would I get that generated salt returned to write to the table? – mauzilla Apr 09 '13 at 17:21
  • That's not how crypt works; the salt is stored *in* the resulting string that comes out of crypt. – dialer Apr 09 '13 at 17:25
  • @dialer, based on this I don't think I'm using it correctly then – mauzilla Apr 09 '13 at 17:32
  • Have a look at Example 1 in the manual. Make sure you completely and absolutely understand the `if` line. Since this question was closed, you might need to ask another, more specific question, if you need help. – dialer Apr 09 '13 at 17:37

0 Answers0