-2

I am looking for best salt in password I can add for my users.

I have already saved user password with small salt like:

$pass = "deerox";
$salt = "fg55fd45";
$password = md5($pass . $salt);

So I want best salt I can ever have I will be using sha512 now and it should take attackers to take ages to crack one password.

I can't generate random salt for all user as I have said I already saved password for them. 

$pass1 = "deerox";
$pass = md5($pass1);
$salt1 = "fRY^YXCH%^d5fdffdstre324e6t45";
$salt2 = "sdgdfg#$#$@%FDG%GFDG54fds545342";
$password = hash("sha512", $salt1 . $pass . $salt2);

Just want to know it is secure or I can make it more secure??

Jason
  • 15,017
  • 23
  • 85
  • 116
deerox
  • 1,045
  • 3
  • 14
  • 28
  • don't hash two times a password! – Perry Jun 08 '13 at 12:19
  • Why do you think its not secure already? What's "more secure"? Hashing passwords twice is just wasting CPU cycles and its not making it any more secure. – Burhan Khalid Jun 08 '13 at 12:20
  • ok i will just use **md5($pass)** @Perry – deerox Jun 08 '13 at 12:20
  • i have few attackers on my site so want to know if it is secure enough or i need more secure? @BurhanKhalid – deerox Jun 08 '13 at 12:21
  • [Read here](http://stackoverflow.com/questions/1645161/salt-generation-and-open-source-software/1645190#1645190). You can dynamically and randomly create it for each user, and then store it in plaintext with the hashed passwords in the DB as it does not need to be secret. – ajp15243 Jun 08 '13 at 12:23
  • 1
    @deerox don't use md5 for passwords see my answers and the link in it, that will help you out! – Perry Jun 08 '13 at 12:23
  • 1
    possible duplicate of [Secure hash and salt for PHP passwords](http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords) – dev-null-dweller Jun 08 '13 at 12:25
  • Suggested read: http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php – Lepidosteus Jun 08 '13 at 12:31
  • thanks everyone my problem was i have already saved as md5 with that small salt need solution and people said its duplicate already. :| i wanted to ask how to solve it out. as saved already md5 – deerox Jun 08 '13 at 12:37

2 Answers2

3

You have a bad password encryption scheme. Tacking anything on to it is not going to make it substantially more secure. What you need is a good hashing + salting from the beginning; it's too late now and you can't really improve the security of the already hashed passwords.

A static salt, or even two, or a salt derived from the password itself are not salts; a salt needs to be a random unique value independent of the password to add uniqueness to each hash.

Add a new flag to your database which says which passwords currently use your "legacy" hashing system. When the user logs on the next time and you have a chance to get his clear text password, use that chance to rehash the password in a better system, then update the flag in the database. This way you can upgrade your user base little by little to a secure hash completely transparently.

You need a dynamic salt per password and an appropriate hash like bcrypt or scrypt. Use http://github.com/ircmaxell/password_compat for a good, easy to use library that implements both.

deceze
  • 510,633
  • 85
  • 743
  • 889
0

First of all dont hash two times a password.

Next thing. If you have a database you should set also a salt in the database by every user a random salt. Add a salt in your code (like you have already).

Dont use sha1 or md5 for passwords. You can use sha512. Also you can see more information about good password hashing over here:

Secure hash and salt for PHP passwords

Community
  • 1
  • 1
Perry
  • 11,172
  • 2
  • 27
  • 37