How to generate password salt with codeigniter

Question

Sorry for being new in php programming, in my old project I use MD5 to encrypt the password, however, it is not secure enough and I found some resource on the internet suggest using password salt instead.

The problem is , I am using codeigniter, is there any helper/ library for this purpose / how to change my old code to support the generation of the password salt?

Thanks for helping. I am using PHP 5.2

And here is the old code to validate, while the user account generate by storing the md5($password);

function validate_credentials() {
        $this->load->model('Secure_model');

        $username = $this->input->post('username');
        $password = md5($this->input->post('password'));

        $is_valid = $this->Secure_model->validate('customer', $username, $password);

        if ($is_valid) {
            $data = array(
                'user_id' => $this->get_user_id($username),
                'user_name' => $username,
                'is_logged_in_user' => true
            );
            $this->session->set_userdata($data);
            redirect('profile');
        } else {
            $data['message_error'] = TRUE;
            $data['main_content'] = 'front/login';
            $this->load->view('front/includes/template', $data);
        }
    }

I found that I need to store the salt in the database as well, is this one tutorial http://sunnyis.me/blog/secure-passwords/ apporiate for my requirement? Thanks a lot — user782104, Sep 08 '14 at 09:09
Dont store the salt in the database! If someone manage to dump the DB, they will get the salt used. Its basically the same as not using any salt. — DannyThunder, Sep 08 '14 at 09:15
Thanks for your reply,from that tutorial it seems I don't even need to store the salt. just coding like the md5 But is the salt unquiet for each record in phppass? — user782104, Sep 08 '14 at 10:36
read this post to get your answer http://stackoverflow.com/questions/14331991/what-is-the-best-method-to-encrypt-password-in-codeigniter/14332569#14332569 — umefarooq, Sep 08 '14 at 10:54
MD5 is going to be insecure anyway, whether you salt it or not. Look at something like Blowfish (https://github.com/themattharris/PHP-Blowfish/blob/master/blowfish.php). Even better, use OAuth against Facebook or Google. This stuff is very difficult to get right, especially using a combination of PHP5.2 and CodeIgniter. — Dan Blows, Sep 08 '14 at 11:58
@DannyThunder - Storing the salt in the database is the recommended way and does not reduce security. The salt is not meant to be secret to work. Just make sure it is unique for each password. A lot of functions including the PHPass library will include the salt in the resulting hash value. — martinstoeckli, Sep 08 '14 at 14:17
@Blowski - The library you are referring to implements the Blowfish encryption algorithm, not the BCrypt hashing algorithm. — martinstoeckli, Sep 08 '14 at 15:17
@martinstoeckli then what is the purpose of salt if It's known? — DannyThunder, Sep 09 '14 at 15:32
@DannyThunder - With a unique salt per password, an attacker has to build a rainbow-table for each password, which doesn't make sense (brute-forcing is faster). So the purpose of the salt is to prevent the usage of one single rainbow-table to get all passwords at once. What you probably have in mind is called a pepper or a key. If you are interested you may have a look at my tutorial about [safely storing passwords](http://www.martinstoeckli.ch/hash/en/index.php). — martinstoeckli, Sep 09 '14 at 19:55
@martinstoeckli that part I do understand, its the storing of the salt in the db that i dont understand. Sure If it is a different db. Will check out your page! Thanks, — DannyThunder, Sep 09 '14 at 20:46

score 6 · Accepted Answer · answered Sep 08 '14 at 14:12

If you are really stuck with PHP 5.2 your best bet will propably be the phpass library, because there is no PHP support of the BCrypt algorithm.

PHP versions 5.3 and later will have native support of BCrypt, so you can use the PHP function password_hash() to hash a password. There is a compatibility pack for versions before 5.5.

// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);

// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);

In every case you are doing right with discarding MD5 and switching to another algorithm. Make sure that you use an algorithm with a cost factor like BCrypt or PBKDF2, fast algorithms like SHA* are not appropriate to hash passwords. Salting is mandatory, though the salt can be stored in the database, it fulfills its purpose even if it is known.

score 2 · Answer 2 · answered Sep 08 '14 at 13:45

look this part of my code I use to register an user:

public function addUser($data){
$sql = "INSERT INTO `user` salt=" . $this->db->escape($salt = substr(md5(uniqid(rand(), true)), 0, 9)) .", password=".$this->db->escape(sha1($salt . sha1($salt . sha1($data['password'])))).".......";
$this_>db->query($sql);

The information of salt and password are stored in your user table. To retrieve the information and validate the password you do this:

$query = $this->CI->db->query("SELECT * FROM `user` WHERE email =".$this->CI->db->escape($email)." AND password = SHA1(CONCAT(salt, SHA1(CONCAT(salt, SHA1(" . $this->CI->db->escape($password) . ")))))");

score 1 · Answer 3 · answered Sep 08 '14 at 11:42

Here are some simple solutions.

You can use sha* hash functions , be careful in using md5 since it has a higher rate of collisions than sha,
and also about your problem with salt, it is ok if you dont salt your password, just make sure your users use a very good password with a combination of lower and upper cases and with numbers and make them lengthy.

I would like to advise you to use bcrypt but since you are using 5.2 it has a bug on that version and certain password libs like PHPPASS and PHPLIB Cater Only to 5.3 and above. Best option is to upgrade to 5.3 so that you can use the php libs, but take care full caution the scripts.

score 1 · Answer 4 · edited May 23 '17 at 10:29

1

As far as I know codeigniter does not have a built-in function for this...

To make a hash with PHP you need

the password
a true random salt
a slow hashing algorithm

By PHP your can create a true random salt by using mcrypt_create_iv().

To make the hash, you can use the crypt() or password_hash, which supports slow algorithms, like CRYPT_BLOWFISH. Forget md5, or sha1, they are too fast, so with the proper tool it is possible to find out passwords hashed by them.

$salt = mcrypt_create_iv(22, MCRYPT_DEV_URANDOM);
$hash = password_hash($password, PASSWORD_BCRYPT, array('cost' => 11, 'salt' => $salt));

The password_hash() function can generate a true random salt automatically, so you don't have to generate it manually if you don't want. The salt will be appended to the hash.

Sadly PHP 5.2 does not have CRYPT_BLOWFISH support. So you have to use the PHPASS lib.

edited May 23 '17 at 10:29

Community

1
1

answered Sep 08 '14 at 14:23

inf3rno

24,976
11
115
197

1

If you _can_ use the password_hash() function, it is better not to generate a salt on your own, this is done safely by the function itself. – martinstoeckli Sep 08 '14 at 14:43
Is it possible to store that salt? What if I want to migrate to another server, are the salts lost? Do they depend on the environment? – inf3rno Sep 08 '14 at 15:58
1

The resulting hash-value will have the salt included in plaintext, this is the usual way to store the salt. The function [password_verify()](http://www.php.net/manual/en/function.password-verify.php) will extract the salt from this hash. I tried to explain this format in another [answer](http://stackoverflow.com/a/25403833/575765). – martinstoeckli Sep 08 '14 at 16:02
Thanks! I did not know, I always stored the salt in a separate column. – inf3rno Sep 08 '14 at 17:55

score 0 · Answer 5 · answered Jul 29 '19 at 12:11

You should set a $config['salt] = '$%#~De@';// in your config file

//Inside your model or controller where you are getting your post values $password = sha1($this->config->item('salt').$this->input->post->('password')));

This should give you has password

How to generate password salt with codeigniter

5 Answers5