2

I was just thinking if creating a password hash by using a salt created from the password himself is safe to use. Here an example in php:

<?php
$pass = $_GET['pass'];
$salt = hash('whirlpool', $pass);
$pass = md5(hash('whirlpool', $salt.$pass));
echo $pass;
?>

Does this make sense ?

Regards.

Peter
  • 21
  • 1
  • possible duplicate of [Help me make my password storage safe](http://stackoverflow.com/questions/1581610/help-me-make-my-password-storage-safe) – Jacco Aug 04 '11 at 14:59
  • 1
    Despite your choice of variable name, you are not actually using a salt here. You should read the wikipedia page about [cryptographic salts](http://en.wikipedia.org/wiki/Salt_%28cryptography%29). – John Bartholomew Aug 04 '11 at 15:06
  • Thanks for that, I didn't know that the a salt must not have anything in common with the password. – Peter Aug 04 '11 at 15:08

4 Answers4

5

The point of a salt is to make everyone's password unique. So in this case just hashing their password and adding it as a salt would still make 2 user's final hashed password equal when the same original password is given. Better to give each user a random salt and store that right beside their password in the db.

Michael
  • 763
  • 3
  • 5
  • But I don't really like the idea to store a salt in the db as if someone gets the hand on the db he can see a column salt which would obviously help him to crack the hashed password. – Peter Aug 04 '11 at 15:06
  • @Peter, even though you do not like the idea, it *is* the method that has, for a long time, been the de-facto standard agreed upon by cryptographers. – Jacco Aug 04 '11 at 15:14
  • 1
    Totally understand, but the point of the salt is to just create individual hashes per user, not really for making the password "more secure." It just increases the time it takes for a hacker to brute force all the passwords. Couple that with something like http://www.openwall.com/phpass/ as your hasher and enforcing password complexity. – Michael Aug 04 '11 at 15:19
  • @Jacco, I agree with that, but I don't really understand how this is any more secure than just hashing the password, as if someone has access to the database he has access to the hash password and the salt that was used. Maybe I'm missing something. edit : ok Michael answered my question. Thanks a lot for you help and knowledge. – Peter Aug 04 '11 at 15:20
  • 1
    @peter np. And just wanted to mention why I said use phpass not sha1 or md5. The point of those two hashes is that they are fast, so if you use a slower hasher it takes longer for the hacker to brute force. Give this a read http://codahale.com/how-to-safely-store-a-password/ – Michael Aug 04 '11 at 15:27
  • @Peter: I found this [wikipedia article](http://en.wikipedia.org/wiki/Rainbow_table) quite illustrative as to what a salt helps to prevent. – emboss Aug 04 '11 at 17:51
3

It's no necessary to hash and re hash and re re hash the password.

Use a salt with a good hashcode algorithm is a good thing, but you need to force yours users to send a strongly password with a minimum of size and with alphanumeric characters

notes:

  • Using sha1 is better than md5.
  • Using a good salt (thanks @John Bartholomew)
  • Force yours users to create a strongly password
sahid
  • 2,570
  • 19
  • 25
  • Note that here, the variable called `$salt` is not actually a salt, since it is being produced deterministically from the password itself. – John Bartholomew Aug 04 '11 at 15:04
  • Yes, I wanted also know if this had any sense to create a salt from the password itselft. – Peter Aug 04 '11 at 15:07
  • 1
    @Peter, read: http://stackoverflow.com/questions/1645161/salt-generation-and-open-source-software/1645190#1645190 for more information about salt in relation to password hashing. – Jacco Aug 04 '11 at 15:15
0

You can protect both your password and your salt.

  1. Use SHA256 or higher (2012) and in years to come it must be higher.

  2. Use a different salt for every user.

  3. Use a calculated salt.

  4. Create a 16 to 32 byte Salt and store it in the database, called 'DBSalt'.

  5. Create any old algorithm to manipulate the salt but keep the algorithm only in code. Even something as simple as DBSalt + 1 is useful because if someone gets your database, they don't actually have the correct salt because the correct salt is calculated.

  6. Calculate your password as follows:

    CreateHash(saltAlgorithm(dbSalt), password);

  7. You can add security by having a list of algorithms that manipulate the DBSalt in different ways. Every time a user changes their password you also use a different calculation against the DBSalt

  8. You can add more security by having these algorithms be stored on web servers external to your system so if your DB and code both get hacked, they still don't have your salt.

    1. You can also increase security by having a before, and after, or both salt and the database alone doesn't provide this information.

There is no end to the "You can increase security by..." comments. Just remember, every time you add security, you add complexity, cost, etc...

How to effectively salt a password stored as a hash in a database

Rhyous
  • 6,510
  • 2
  • 44
  • 50
0

I do it like this

<?php

$my_key = "myapp";
$temp_pwd = htmlentities(trim($_POST['password']));
$hashed = sha1($my_key.$temp_pwd);

save $hashed in database on signup
and with every login attemp merge the input password value with your key and make a hash of it and than compare with database password value


?>
Sumair Zafar
  • 98
  • 8