is my salted hash ok to use?

[ibinod]

after working a while i came out with this function for salting my hashes

please suggest me wt i can do to improve it or is it ok to use for my projects

function saltHash($username, $password)
{
$salt = substr($username,0,4); //all username will be atleast 4 chars so i thought good to take only 4 chars
return hash("sha512",$password.$salt);
}

and while authenticating i m checking like this

function checkHash($hash, $username, $password)
{
$saltWas = substr($username, 0, 4);
if($hash == hash("sha512",$password.$saltWas))
{
	return true;
}
return false;
}

 

btw i am using varchar(150) to store the hashes

[Mchl]

Why not use full username? The longer salt, the better.

sha512 output is 128 characters long, so you can store it in (VAR)CHAR(128)

[ibinod]

Hi Mchl thanks for the suggestion

btw i don't want to use the full name coz every username may not have same length so i thought to use only 4 chars,

 

btw there is one thing i need your suggestion on, since i will be using their username as dynamic salt so wt if a username is needed to be changed in future, after that how can i verify the salt;

wt do u suggest on this.

 

[fook3d]

Use a login_name and user_name field.

 

login_name stays the same forever, while any update in the site shows as user_name, which means all places where a user name is used in the site, would run from the user_name row

[ibinod]

thankx that can be a good soluton 

[Mchl]

btw i don't want to use the full name coz every username may not have same length so i thought to use only 4 chars,

 

And how exactly does it matter?

[ibinod]

No it doesn't but i think it's ok to use only 4 chars but for better securyt full username is also gr8 

[Mark Baker]

Do you hold a date when the user records was created? I use that as the basis for my salts

[DarkWater]

Why not just use a bunch of random characters?

 

ߝആਂሻርሏϧ}«§٨Փض⢽४

 

I have a feeling that most bruteforcers only check single-byte characters anyway.

[Mchl]

Since hashing algorithms take input byte by byte, multibyte strings don't really make difference (I think).

[DarkWater]

I don't think so.  Look at this test I set up:

 

<?php
echo md5("Ā"). "\n"; //Ā is 0x100 or 0xFF + 0x01
echo md5(chr(0xFF) . chr(0x01)) . "\n";
?>

Yields:

 

99c2cdc511a866f109a87f21f336ed94

fb73c139137bccfee5d95bddb087480a

 

[Mchl]

chr(0xFF) . chr(0x01) will give you FF01

how is that equal to 0001 ?

 

And besides

 

md5("Ā") is a md of Ā, and not of single character.

[Mchl]

Here's my test

 

<?php

echo "Ā<br/>";

echo md5("Ā"). "<br/>";

//Ā is unicode 0xC480

echo chr(0xC4).chr(0x80)."<br/>";

echo md5(chr(0xC4) . chr(0x80)) . "\n";

?>

 

 

results

Ā
99c2cdc511a866f109a87f21f336ed94
Ā
99c2cdc511a866f109a87f21f336ed94 

 

ok... so now I see where &#256; come from in your post