3

I was wondering if

password_hash("custompassgoeshere", PASSWORD_BCRYPT)

Is secure enough in order to store passwords to the DB or if I should add some more SALT in it (I was thinking something like user's username/email/date of birth/etc).

Thanks!

AJReading
  • 1,193
  • 20
  • 35
user3465843
  • 65
  • 7
  • 2
    Unique salts for each user is recommended. You can just generate a unique salt for each user and store it in the database. – Damien Black Apr 21 '14 at 23:42
  • 1
    Perhaps increasing the cost, but using the default salt generation of password_hash() is the recommended option rather than creating your own salt – Mark Baker Apr 21 '14 at 23:44
  • Salting an already salted hash is pointless. Bcrypt salts automatically. – AJReading Apr 21 '14 at 23:47
  • @DamienBlack - This is what `password_hash()` already does, it generates a safe salt from the random source of the operating system, and adds it to resulting hash string. You cannot generate a better salt on your own, so you should not pass one to the function. – martinstoeckli Apr 22 '14 at 07:58

1 Answers1

3

Bcrypt would be secure enough on its own., ensure that you increase the iterations/cost to something high enough (but not too slow for your server). You may need to test a few values to test for acceptable hashing times.

You do not need to salt your passwords, Bcrypt generates unique salts for each hash automatically and stores it with the hash.

See: How can bcrypt have built-in salts?

Community
  • 1
  • 1
AJReading
  • 1,193
  • 20
  • 35
  • Thank you for the reply and link mate. Any idea how I can check out which would be the best cost value for my server? – user3465843 Apr 21 '14 at 23:52
  • Sure, just create a simple page and hash a string, see how long it takes. You can do this manually. You could also use `microtime` to save the start time before you hash and `microtime` again after the hash to see how long it takes. PHP also has a good example of how to calculate a cost on their documentation page: http://docs.php.net/manual/en/function.password-hash.php See example #4 – AJReading Apr 21 '14 at 23:56
  • To the downvoter, care to add a comment as to why this is not a useful answer? – AJReading Apr 22 '14 at 00:23