Jump to content

Recommended Posts

A salt is either a random or static string you attach to the unprocessed password.

 

If password is "flsd943$£dsoIw" then you do in PHP like this:

 

$password = md5('flsd943$£dsoIw' . '54398sdfsdf');

 

or for dynamic salt you can use the current time in microseconds which is always unique:

 

$password = md5('flsd943$£dsoIw' . time());

Link to comment
https://forums.phpfreaks.com/topic/231827-password-storage/#findComment-1193018
Share on other sites

You have to store both the salt and the hashed salted password in the db.  Why?  Because when someone tries to log on, you'll need to test that password value with the pre-existing salt.  So, using pseudo-code:

 

// user enters in name and password combo

$name = $_POST['name'];
$pass = $_POST['password'];

$query = mysql_query("SELECT password, salt FROM users WHERE username = $name");

if (mysql_num_rows($query) === 1)
{
   $row = mysql_fetch_assoc($query);

   $savedPass = $row['password'];
   $salt = $row['salt'];

   if (sha1($pass . $salt) === $savedPass) // REMEMBER: $pass is the attempted password...
   {
      // valid user
   }
   else
   {
      // invalid user - figure out what to do
   }
}
else
{
   // bad user name
}

 

Using the current time as a salt when a user registers is the way to go because the value will always be unique, and it will always be unique for that user.

 

Make sure you do your research on how many characters the hashing algorithm you choose will generate.  The more characters, the better, and you don't want to harm your own security by choosing the wrong column type.  A lot of them generate more than 32 characters.

 

EDIT: For password/salt creation, you simply need two columns - one varchar column, the length of whatever hashing algorithm you choose, and one timestamp column for the salt.  When you register the user, simply use:

 

$salt = time();
$saltedPass = sha1($pass . $salt);

// insert both into the db for that user

 

I use SHA1 as, last I read, it's better than MD5.  I should brush up on that, though....

Link to comment
https://forums.phpfreaks.com/topic/231827-password-storage/#findComment-1193042
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.