is my salted hash ok to use?

ibinod · November 23, 2008

after working a while i came out with this function for salting my hashes

please suggest me wt i can do to improve it or is it ok to use for my projects

function saltHash($username, $password)
{
$salt = substr($username,0,4); //all username will be atleast 4 chars so i thought good to take only 4 chars
return hash("sha512",$password.$salt);
}

and while authenticating i m checking like this

function checkHash($hash, $username, $password)
{
$saltWas = substr($username, 0, 4);
if($hash == hash("sha512",$password.$saltWas))
{
	return true;
}
return false;
}

btw i am using varchar(150) to store the hashes

Mchl · November 23, 2008

Why not use full username? The longer salt, the better.

sha512 output is 128 characters long, so you can store it in (VAR)CHAR(128)

ibinod · November 23, 2008

Hi Mchl thanks for the suggestion

btw i don't want to use the full name coz every username may not have same length so i thought to use only 4 chars,

btw there is one thing i need your suggestion on, since i will be using their username as dynamic salt so wt if a username is needed to be changed in future, after that how can i verify the salt;

wt do u suggest on this.

fook3d · November 23, 2008

Use a login_name and user_name field.

login_name stays the same forever, while any update in the site shows as user_name, which means all places where a user name is used in the site, would run from the user_name row

ibinod · November 23, 2008

thankx that can be a good soluton

Mchl · November 23, 2008

btw i don't want to use the full name coz every username may not have same length so i thought to use only 4 chars,

And how exactly does it matter?

ibinod · November 23, 2008

No it doesn't but i think it's ok to use only 4 chars but for better securyt full username is also gr8

Mark Baker · November 23, 2008

Do you hold a date when the user records was created? I use that as the basis for my salts

DarkWater · November 23, 2008

Why not just use a bunch of random characters?

ߝആਂሻርሏϧ}«§٨Փض⢽४

I have a feeling that most bruteforcers only check single-byte characters anyway.

Mchl · November 23, 2008

Since hashing algorithms take input byte by byte, multibyte strings don't really make difference (I think).

DarkWater · November 23, 2008

I don't think so. Look at this test I set up:

<?php
echo md5("Ā"). "\n"; //Ā is 0x100 or 0xFF + 0x01
echo md5(chr(0xFF) . chr(0x01)) . "\n";
?>

Yields:

99c2cdc511a866f109a87f21f336ed94

fb73c139137bccfee5d95bddb087480a

Mchl · November 23, 2008

chr(0xFF) . chr(0x01) will give you FF01

how is that equal to 0001 ?

And besides

md5("Ā") is a md of Ā, and not of single character.

Mchl · November 23, 2008

Here's my test

<?php

echo "Ā<br/>";

echo md5("Ā"). "<br/>";

//Ā is unicode 0xC480

echo chr(0xC4).chr(0x80)."<br/>";

echo md5(chr(0xC4) . chr(0x80)) . "\n";

?>

results

Ā
99c2cdc511a866f109a87f21f336ed94
Ā
99c2cdc511a866f109a87f21f336ed94

ok... so now I see where Ā come from in your post

Sign In

is my salted hash ok to use?

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Important Information