Logging in issues with salt and hash

Question

On my registration page I have used an SHA1 has and a salt to store my passwords in the database. I think I have done this correctly as when I check the database it is has with the salt included. This is how I have done it.

$newPassword = $_POST['Password'] ;
  if (!empty($newPassword)) {
  //Escape bad characters
  //$newuser = mysql_real_escape_string($newuser);
  //remove leading and trailing whitespace
  $newPassword = trim($newPassword);
  $newPassword = sha1($newPassword);
  $salt = '-45dfeHK/__yu349@-/klF21-1_\/4JkUP/4';

}
else die ("ERROR: Enter a Password");

and input is

    $query = "INSERT INTO members (memberFirstname, memberSecondname, memberEmailaddress, memberPassword, memberAddress, memberPostcode) VALUES ('$newFirstName', '$newSecondName', '$newEmailAddress', '$newPassword$salt', '$newAddress', '$newPostcode')";

My problem lays when I try to login. Im unsure on how remove the salt and unhash the password (if that is what needs to be done). I can enter the email address and paste the hash and salt into the password field and can successfully login.

This is my script to log in.

<?php
include 'db.inc';
session_start();
$UserEmail =$_POST["EmailAddress"];
 $UserPassword =$_POST["Password"];
 $query = "SELECT * FROM members WHERE memberEmailaddress = '$UserEmail' 
         AND  memberPassword = '$UserPassword' "; 

$connection = mysql_connect($hostname, $username, $password) or die ("Unable to connect!"); 
mysql_select_db($databaseName) or die ("Unable to select database!"); 
$result = mysql_query($query) or die ("Error in query: $query. ".mysql_error()); 
// see if any rows were returned 
if (mysql_num_rows($result) > 0) { 
   $_SESSION["authenticatedUser"] = $UserEmail;
     // Relocate to the logged-in page
    header("Location: Index.php");
} 
else 
  {
   $_SESSION["message"] = "Could not connect log in as $UserEmail " ;
   header("Location: Login.php");
  }    
mysql_free_result($result); 
mysql_close($connection); 

?>

Please use this instead http://docs.php.net/manual/en/ref.password.php — PeeHaa, Jun 07 '14 at 13:19
Also see http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php — PeeHaa, Jun 07 '14 at 13:20
You're using the salt wrong, and you've chosen an inappropriate hashing function for password protection. You shouldn't be trying to do this stuff yourself. Use an off-the-shelf library, security is too important to get this stuff wrong, and you **will** get it wrong. Correctly storing passwords is a notoriously difficult problem. — user229044, Jun 07 '14 at 13:20
Use [**CRYPT_BLOWFISH**](http://security.stackexchange.com/q/36471) or PHP 5.5's [`password_hash()`](http://www.php.net/manual/en/function.password-hash.php) function. For PHP < 5.5 use the [`password_hash() compatibility pack`](https://github.com/ircmaxell/password_compat). — Funk Forty Niner, Jun 07 '14 at 13:22
@Fred-ii- Thanks for pointing that mistake out and ill look into CRYPT further. — Kie21, Jun 07 '14 at 13:25

score 1 · Accepted Answer · answered Jun 10 '14 at 11:26

There are several problems with your approach. First you don't use the salt at all, it will be stored but not used. Second a salt should be unique for each password, in your case a static salt is used, this is actually a pepper not a salt. Further you use a fast hash algorithm, but this can be brute-forced ways too fast, instead you should switch to a hash algorithm with a cost factor like BCrypt or PBKDF2.

PHP already has a good function to hash passwords (maybe you need the compatibility pack):

// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);

// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);

Because this function generates a safe salt on its own and attaches it to the resulting hash-value, you cannot check the password with SQL directly. Instead you do a query to get the stored hash (by username), then you can verify the entered password with the stored one. I wrote a tutorial where i tried to explain the important points more indepth.

Logging in issues with salt and hash

1 Answers1