Jump to content

How are salt values typically implemented in a project?


DWilliams

Recommended Posts

Knowing that it has to be set once upon script installation and never changed, what is the most common way to handle this in redistributable scripts?

 

Should I add a salt value in the config file and ask the user to set it, or should I generate a random value and write it to a file, or should I take a different approach entirely?

Link to comment
Share on other sites

I would generate it if it's not there, and store it somewhere.  I'm being vague about where to store it because it really depends how your script will be used and how the salt will be used.  Asking the user to make it seems like asking them to do something they don't really need to.  Though you can allow them to manually override it if needed.

Link to comment
Share on other sites

Hmm well my script will be a small web based utility that people will run on their webservers.  Simply writing a random salt value to a file in my project's base directory and reading it in when needed seems easy and functional but I see two problems with that:

 

1. The file will be exposed to the outside world. On unix based systems I can call chmod() on it and rectify that situation but that won't work if the end user is running a Windows server will it?

 

2. It adds an extra and perhaps non-obvious file to backup. If the user only backs up the database for the project and maybe the config file, they will be endlessly screwed if they lose the initial salt value.

Link to comment
Share on other sites

  • 1 month later...

I didn't reply earlier because I'm not sure what kind of salt you are using.  How are you using the salt?

 

I'm not an expert on the terminology but essentially I'm just using one string as my salt for additional password encryption.

 

When an account is registered, I store password in the database after running it through the following function:

 

md5($config['salt'] . $_POST['password']);

 

And when they log in, I do the same thing with their input password. It works fine, my only problem is where to store the salt.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.