Password storage

[clay1]

Hi,

 

What is a good way to store passwords using php and postgresql and what columns/column types do I need to do so? I've got a table 'users'

 

I've tried to find a straight forward answer but am confused by 'salting' etc.

 

Thanks

[clay1]

Anyone, please?

[JakkyD]

Not sure if it's the same for postgresql but for MySQL I do this:

 

Column name = password

Data type = VARCHAR(32)

 

And then in PHP:

 

$Password = $_POST["Password"];

 

$Password = md5($Password);

[clay1]

Thanks--

 

However, everything I've read has said md5 is not adequate. Also, have read numerous places that salting is recommended but I am uncertain of how to actually implement it.

 

 

[silkfire]

A salt is either a random or static string you attach to the unprocessed password.

 

If password is "flsd943$£dsoIw" then you do in PHP like this:

 

$password = md5('flsd943$£dsoIw' . '54398sdfsdf');

 

or for dynamic salt you can use the current time in microseconds which is always unique:

 

$password = md5('flsd943$£dsoIw' . time());

[clay1]

 

$password = md5('flsd943$£dsoIw' . time());

 

I would use this when the user creates a pw? And then store that in a text column in my table?

 

How about when the user logs in?

[KevinM1]

You have to store both the salt and the hashed salted password in the db.  Why?  Because when someone tries to log on, you'll need to test that password value with the pre-existing salt.  So, using pseudo-code:

 

// user enters in name and password combo

$name = $_POST['name'];
$pass = $_POST['password'];

$query = mysql_query("SELECT password, salt FROM users WHERE username = $name");

if (mysql_num_rows($query) === 1)
{
   $row = mysql_fetch_assoc($query);

   $savedPass = $row['password'];
   $salt = $row['salt'];

   if (sha1($pass . $salt) === $savedPass) // REMEMBER: $pass is the attempted password...
   {
      // valid user
   }
   else
   {
      // invalid user - figure out what to do
   }
}
else
{
   // bad user name
}

 

Using the current time as a salt when a user registers is the way to go because the value will always be unique, and it will always be unique for that user.

 

Make sure you do your research on how many characters the hashing algorithm you choose will generate.  The more characters, the better, and you don't want to harm your own security by choosing the wrong column type.  A lot of them generate more than 32 characters.

 

EDIT: For password/salt creation, you simply need two columns - one varchar column, the length of whatever hashing algorithm you choose, and one timestamp column for the salt.  When you register the user, simply use:

 

$salt = time();
$saltedPass = sha1($pass . $salt);

// insert both into the db for that user

 

I use SHA1 as, last I read, it's better than MD5.  I should brush up on that, though....

[clay1]

 

$salt = time();
$saltedPass = sha1($pass . $salt);

// insert both into the db for that user

 

So store $saltedpass and $salt not $pass right?

 

[KevinM1]

Correct.

[clay1]

Great-- thanks for your help. I think I've got a better handle on it now and my test scripts are working so far.