1

can someone help me. I've been reading about salting a password to make my passwords more secure. The format I was going with is salt:password_hashed, so my code is md5($salt.":".$password_hashed). $password_hashed is a simple m5d string of the original password, and the hash is taken from mktime().

I don't understand how the salt works, do i need to save this in the database as well? If the salt is ever changing, how does this work?

If a user registered with the password 'password' and the time they registered was 1234567890 (as a unix timestamp). The password generate would be md5(mktime().":".$_POST['password']) or something lik that. But if a user trys to then login with 'password' the newly created salt would be different?

dotty
  • 40,405
  • 66
  • 150
  • 195
  • 1
    possible duplicate of [Password hashing, salt and storage of hashed values](http://stackoverflow.com/questions/1191112/password-hashing-salt-and-storage-of-hashed-values) – mario Oct 19 '11 at 11:26
  • possible duplicate of [How can I store my users' passwords safely?](http://stackoverflow.com/questions/1581610/how-can-i-store-my-users-passwords-safely) – Jacco Oct 19 '11 at 11:39
  • do not use `MD5` (or `SHA1`) for password hashing, those algorithms are no longer suitable. – Jacco Oct 19 '11 at 11:40
  • possible duplicate of [Can PHP read the hash portion of the URL?](http://stackoverflow.com/questions/940905/can-php-read-the-hash-portion-of-the-url) – Your Common Sense Oct 19 '11 at 11:40
  • Maybe also read: [Is time a good salt?](http://stackoverflow.com/questions/4983915/is-time-a-good-salt/4984044) – Jacco Oct 19 '11 at 11:40

4 Answers4

1

You have to store the salt too, you could for example just store the registrationdate and use that in your salt.

TJHeuvel
  • 12,403
  • 4
  • 37
  • 46
  • 1
    Ideally the salt should be random...which is to say, unrelated to the user at the very least. – cHao Oct 19 '11 at 11:09
0

Salts defend against rainbow tables. The salt is generated when the password is saved, so when the user is created and whenever the password is changed. You can store the salt as a separate field in your database but you can also just concatenate the salt with the encrypted password, and storing both in one field. Because salts are usually of a fixed length, it's easy to separate the two later to verify a password for login.

It is worth noting that md5 "considered cryptographically broken and unsuitable for further use" according to US-CERT. You should use sha-256 instead.

jhchen
  • 14,355
  • 14
  • 63
  • 91
0

Your salt can be user's e-mail or username.

I recommend this approach:

hash_hmac('sha256', $password, $salt);
Ondřej Mirtes
  • 5,054
  • 25
  • 36
-2

I've been reading about salting a password to make my passwords more secure.

That's quite nonsense. No salt can make your password more secure.

do i need to save this in the database as well?

yes

If the salt is ever changing, how does this work?

It doesn't work.

if a user tries to then login with 'password' the newly created salt would be different?

How do you think? Can't you compare mktime() result with '1234567890' yourself (and resulting hashes as well)?

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345