1

I'm using the crypt function in PHP to hash passwords, along with salt obviously. But I'm generating my salt by calling the md5 function over the date function. And every time the user logs in the salt gets regenerated.

Is any of this bad in any way? I am still relatively new to PHP (and webdev) and I'm trying to get my security right before I deploy this code.

$salt = md5(date('m/d/Y h:i:s a'));
0m3r
  • 12,286
  • 15
  • 35
  • 71
juanjalvarez
  • 13
  • 2
  • 3
    Why not just use `password_hash()`, available from PHP5.5? There's a [shim for earlier versions](https://github.com/ircmaxell/password_compat) of PHP (5.3.7+) too. [PHP Reference](https://php.net/manual/en/function.password-hash.php) –  Jun 20 '15 at 01:54
  • Consider reading this article: https://crackstation.net/hashing-security.htm . It includes good discussion and a sample PHP implementation. – Firefly Jun 20 '15 at 02:23
  • Have a look at [this answer](http://stackoverflow.com/a/10945097/1338292) and read the section about password hashing. – Ja͢ck Jun 20 '15 at 02:52

1 Answers1

1

It is considered bad practice by many. Here are (some of) the reasons:

  1. You are using md5, a weak, old, and fast to calculate hash.
  2. The salt is generated in a predictable fashion. The salt should be different for every user (even if registered in the same second) and should be more random than the date.
  3. You are reinventing the wheel. You are using the crypt function to hash the passwords, so there is no reason to not use that for getting a secure salt. password_hash() is a built in function of PHP 5.5, and a compatibility library for versions slightly older than that.

How to use password_hash()

TL;DR: use password_hash() to generate the salt AND hash the password, no need to reinvent the wheel in a less secure fashion.

Credit to be given to Hobo Sapiens for mentioning password_hash() first.

p1xel
  • 294
  • 2
  • 10