DWilliams Posted September 22, 2010 Share Posted September 22, 2010 Knowing that it has to be set once upon script installation and never changed, what is the most common way to handle this in redistributable scripts? Should I add a salt value in the config file and ask the user to set it, or should I generate a random value and write it to a file, or should I take a different approach entirely? Link to comment https://forums.phpfreaks.com/topic/214073-how-are-salt-values-typically-implemented-in-a-project/ Share on other sites More sharing options...
btherl Posted September 22, 2010 Share Posted September 22, 2010 I would generate it if it's not there, and store it somewhere. I'm being vague about where to store it because it really depends how your script will be used and how the salt will be used. Asking the user to make it seems like asking them to do something they don't really need to. Though you can allow them to manually override it if needed. Link to comment https://forums.phpfreaks.com/topic/214073-how-are-salt-values-typically-implemented-in-a-project/#findComment-1113973 Share on other sites More sharing options...
DWilliams Posted September 29, 2010 Author Share Posted September 29, 2010 Hmm well my script will be a small web based utility that people will run on their webservers. Simply writing a random salt value to a file in my project's base directory and reading it in when needed seems easy and functional but I see two problems with that: 1. The file will be exposed to the outside world. On unix based systems I can call chmod() on it and rectify that situation but that won't work if the end user is running a Windows server will it? 2. It adds an extra and perhaps non-obvious file to backup. If the user only backs up the database for the project and maybe the config file, they will be endlessly screwed if they lose the initial salt value. Link to comment https://forums.phpfreaks.com/topic/214073-how-are-salt-values-typically-implemented-in-a-project/#findComment-1116995 Share on other sites More sharing options...
DWilliams Posted October 30, 2010 Author Share Posted October 30, 2010 Necro bump Link to comment https://forums.phpfreaks.com/topic/214073-how-are-salt-values-typically-implemented-in-a-project/#findComment-1128236 Share on other sites More sharing options...
btherl Posted October 31, 2010 Share Posted October 31, 2010 I didn't reply earlier because I'm not sure what kind of salt you are using. How are you using the salt? Link to comment https://forums.phpfreaks.com/topic/214073-how-are-salt-values-typically-implemented-in-a-project/#findComment-1128757 Share on other sites More sharing options...
DWilliams Posted October 31, 2010 Author Share Posted October 31, 2010 I didn't reply earlier because I'm not sure what kind of salt you are using. How are you using the salt? I'm not an expert on the terminology but essentially I'm just using one string as my salt for additional password encryption. When an account is registered, I store password in the database after running it through the following function: md5($config['salt'] . $_POST['password']); And when they log in, I do the same thing with their input password. It works fine, my only problem is where to store the salt. Link to comment https://forums.phpfreaks.com/topic/214073-how-are-salt-values-typically-implemented-in-a-project/#findComment-1128769 Share on other sites More sharing options...
A1SURF.us Posted November 1, 2010 Share Posted November 1, 2010 I think I'm asking the same thing here: http://www.phpfreaks.com/forums/php-coding-help/how-does-md5-password-encryption-work/ Link to comment https://forums.phpfreaks.com/topic/214073-how-are-salt-values-typically-implemented-in-a-project/#findComment-1128844 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.