0

I'm quite new with this whole salting thing.

Let's say I store an admin password (crypt($pass,$salt)) in my config.php.

Now I don't suppose having a random string $salt right below my (crypt'ed) password in the config.php file is a good idea, right?

I haven't found a single tutorial that could tell me where I should store my salt or how to actually use it in an intelligent way.

Also, should I store my admin login details in a database even though my admin is the only one?

PHP version 5.1

<?php
//Admininstration
$ad_uname = "church"; #username
$ad_pass = "sj50sl3ZE8ABM"; #password: crypt("blablah", $salt)
$salt = "sjoirjoewtointontont"; #salt
?>
Perry
  • 11,172
  • 2
  • 27
  • 37
Simosito
  • 11
  • 2
  • 1
    possible duplicate of [Where do you store your salt strings?](http://stackoverflow.com/questions/1219899/where-do-you-store-your-salt-strings) – Wooble Sep 13 '13 at 17:24
  • It doesn't matter what it says or that it's a visible plain-text string, the *whole* point is that your salt is unique to **your** application meaning if someone wanted to brute force every combination to break an encrypted value you have stored then they can't just look-up a pre-computed [rainbow table](http://en.wikipedia.org/wiki/Rainbow_table). – Emissary Sep 13 '13 at 17:25
  • My reasoning was that if one was able to somehow get the config.php it wouldn't be very wise to have both password and salt there. Or is this a too remote chance? If so, shouldn't I just store the password as it is (plain text)? – Simosito Sep 13 '13 at 17:27
  • ... I think the saying goes, *"security shouldn't be through obscurity"* - hiding the salt's location is futile - if someone has access to your server you have bigger issues. – Emissary Sep 13 '13 at 17:29
  • I think you've got bigger problems if an attacker has access to your server. – mittmemo Sep 13 '13 at 17:29
  • Right. So I could have skipped the whole salting since I am not using a DB, am I correct? – Simosito Sep 13 '13 at 17:30
  • Might be overkill but it's not doing any harm - even in a database you'd store unique salts with every encrypted entry. – Emissary Sep 13 '13 at 17:33
  • I'd be more concerned about using such an outdated version of PHP. – Sammitch Sep 13 '13 at 17:35
  • Emissary "The Sisko is wise" (cit.). Thank you very much. Sammitch tell me about it, I'm doing this scripting pro-bono: one server didn't have mysqli, this has PHP 5.1... maybe next time I get a job where I have to use ColdFusion... – Simosito Sep 13 '13 at 17:38

1 Answers1

0

Have a look at PHP's function password_hash(), it solves the problem exactly as it should be done. The salt is included as part of the resulting hash-value and is plaint-text. The purpose of a salt is to prevent rainbow-table attacks.

What you have in mind is to add a server side secret, this can be done by adding a pepper or by encrypting the hash-value afterwards with a two way encryption algorithm (in addition to salting). The difficulty is, where to store this secret, if an attacker already has priviliges to read your source code, he will also have access to your secret (the code must be able to read it). If you are more interested in this topic, you cold have a look at this tutorial.

martinstoeckli
  • 23,430
  • 6
  • 56
  • 87