[SOLVED] Quick question about Hashing with Salt.

[Demonic]

Alright salt is a random string.  So when a user registers right I generate the salt.

 

$salt = substr(md5(uniqid(rand(), true)), 0, 5);

 

then i md5 the salt and password:

 

$password = $_POST['password'];

 

$pass = md5($salt.md5($salt.$password));

 

now the password is encrypted so i insert the password and the salt in the DB.

 

Now thats on registration.  Now when logging in each time and a sucessful login happens

 

Should I make a new salt for security?

[Orio]

You can't hash the password using a random salt. A salt has to be fixed, because you need to use it hashing the given password every time you log in. So unless you store that random salt somehow per each user, your salt must be a the same all the time. You can set it to something no one will guess tho, something like "erwgh#^fjgb5468@#%".

 

Orio.

[Demonic]

Like I said above I insert the salt AND the password in the DB so I can use it later.

 

Thats not even my question. Im asking should I generate a new salt and update users profile with a new salt for security messures?(Thats on a sucessful login) Would that be any safer then without adding a new salt?

[hvle]

$salt = substr(md5(uniqid(rand(), true)), 0, 5);

The rest of the code is fine, I just don't see the point for above code.  Salt is just a small random string anyway.

 

Normally, there is no need to regenerate salt.  The purpose of the salt is to create hard to guess string.  This is internal server work, so changing it would have no more or less effect on security.  If security is main concern, I would suggest using SSL.  Still, this is only my opinion.

[Demonic]

Only reason I was thinking of regenerating it is because if the users in the old software doesn't have a hash and was updated there password would less secure then others (unless i make a Function in there control panel saying make my pass more secure lol or something) But yeah I might as well just reinsert it on a sucessful login.

 

Thanks.