RobertP Posted September 20, 2011 Share Posted September 20, 2011 i just read about password salts, and why they are recommended. i knew about salts for awhile now, but never knew rainbow tables existed. so i am updating my encryption for my project i am working on. my current function protected function encrypt($string){ return hash('sha1',base64_encode($string)); } my possible updated function (salt length is protected function encrypt($string){ return hash('sha1',base64_encode($string.substr(0,(strlen($string)-*-1))); } Quote Link to comment Share on other sites More sharing options...
RobertP Posted September 20, 2011 Author Share Posted September 20, 2011 salt length is 8 .. don't mind the Quote Link to comment Share on other sites More sharing options...
requinix Posted September 20, 2011 Share Posted September 20, 2011 Problem 1: the craziness of substr(0,(strlen($string)-*-1) Problem 2: You can't use part of the password to generate a salt. The salt has to be completely unrelated. Create a random salt and store it along with the password. Don't forget to use it when verifying passwords. Quote Link to comment Share on other sites More sharing options...
RobertP Posted September 20, 2011 Author Share Posted September 20, 2011 when verifying the salt, is there any alternative then that extra query to fetch the salt? Quote Link to comment Share on other sites More sharing options...
KevinM1 Posted September 21, 2011 Share Posted September 21, 2011 What extra query? You need to return two things: The hashed password. The salt. That's as simple as "SELECT password, salt FROM table_name WHERE user_name = $user_supplied_name" Two columns fetched with one query. Now for what to use for a salt, I've always liked using the timestamp of when a user registers. It's a unique value for each user and trivial to generate. Quote Link to comment Share on other sites More sharing options...
RobertP Posted September 21, 2011 Author Share Posted September 21, 2011 hmm, i like your method better, atm i am using select salt from members where user='bla' checking the password then if all is good, logging in, (witch i use an extra query i don;t need to ...) thank you dude Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.