2

I've got a little question here because I'm creating a log in and register system. A developer at my school told me to salt secure passwords. I agree on that point but he said I needed to create the salt out of a timestamp but how to do it? Currently I'm doin' this:

$password = hash('sha512', $password . $salt);

and the salt just like:

$salt = "xHkosbGhsfT77239GhsvH";

This stands litteraly in my configuration so it's not good...

Does anyone have some tips? Any idea how to do it, so if any of you do share it with me!

Thanks.

CodesInChaos
  • 106,488
  • 23
  • 218
  • 262
sushibrain
  • 2,712
  • 5
  • 33
  • 62
  • The idea, I think, is to have a unique salt for every user. So you could add a column to your user table to store it, and generate a new salt for every user that signs up. You could use a timestamp, but read [this](http://stackoverflow.com/questions/4983915/is-time-a-good-salt?rq=1) - might be better to use random salts. – Blorgbeard Jan 20 '14 at 19:25
  • 3
    A salt only based on a timestamp is a stupid idea. The salt needs to be random. Also: just use the [native password hashing API](http://nl3.php.net/password) or the [5.3.7+ compatibility library](https://github.com/ircmaxell/password_compat). – PeeHaa Jan 20 '14 at 19:28
  • @PeeHaa can you explain why using a timestamp is such a bad idea? Seems it would be *almost* unique per user. Especially at the "school login system" level of user-count. – Blorgbeard Jan 20 '14 at 19:43
  • Unique !== random. You want the salt to be random. – PeeHaa Jan 20 '14 at 19:45
  • 1
    Halfer suggests `/s/stupid/non-optimal/` and sends calming, positive rays to @PeeHaa `:-)`. – halfer Jan 20 '14 at 20:27
  • @PeeHaa why do you want the salt to be random? – Blorgbeard Jan 20 '14 at 20:55

2 Answers2

0

It is better to generate a unique salt for each user and keep them in your user table. So, for password checking, just fetch the user salt from database and use it. It is much safer than using a single salt for hole database.

Shahram
  • 35
  • 5
0

You can use hash_hmac() function which needs three arguments (See documentation). I use it like this:

hash_hmac('sha512', $password . $salt, SITEKEY);

sha512 is my preferred hash function which generates 128B long strings

$password is user password

$salt is unique string generated for each user and stored in the database in the same row for user

salt is generated as: bin2hex(openssl_random_pseudo_bytes($bits)) (See documentation)

SITEKEY is unique string for each site I make

Kamil
  • 1,633
  • 2
  • 21
  • 24