password salts

[RobertP]

i just read about password salts, and why they are recommended.

i knew about salts for awhile now, but never knew rainbow tables existed.

so i am updating my encryption for my project i am working on.

 

my current function

protected function encrypt($string){
	return hash('sha1',base64_encode($string));
}

 

my possible updated function (salt length is

protected function encrypt($string){
	return hash('sha1',base64_encode($string.substr(0,(strlen($string)-*-1)));
}

 

[RobertP]

salt length is 8 .. don't mind the

[requinix]

Problem 1: the craziness of

substr(0,(strlen($string)-*-1)

 

Problem 2: You can't use part of the password to generate a salt. The salt has to be completely unrelated.

Create a random salt and store it along with the password. Don't forget to use it when verifying passwords.

[RobertP]

when verifying the salt, is there any alternative then that extra query to fetch the salt?

[KevinM1]

What extra query?  You need to return two things:

 

The hashed password.

The salt.

 

That's as simple as "SELECT password, salt FROM table_name WHERE user_name = $user_supplied_name"  Two columns fetched with one query.

 

Now for what to use for a salt, I've always liked using the timestamp of when a user registers.  It's a unique value for each user and trivial to generate.

[RobertP]

hmm, i like your method better, atm i am using

 

select salt from members where user='bla'

checking the password

then if all is good, logging in, (witch i use an extra query i don;t need to ...)

 

thank you dude