Welcome Guest, Not a member yet? Register   Sign In
random salt
#1

[eluser]trevor2[/eluser]
What is the preferred way to create a random salt? I looked at the php.net site and there are hundred different viewpoints all claiming supremacy.

For the moment I'm using considering the username as a salt, which is not random, but it is unique.
Code:
<?php
    $password = $_POST['password'];
    $salt = $_POST['username'];
    
    function saltshaker($salt, $password)
        {    
            $salt = "";
            $password = "";
            $hash = sha1($salt.$password);
            return $hash;
        }
?>
#2

[eluser]Jondolar[/eluser]
If your code is encoded (zend, ioncube), you can hard-code a non-random salt string and combine it with the username. This gives you the added benefit that if your database is stolen and someone wants to take the time to try to guess that you used the username as the salt, they still can't create a hash table. Even if your hard-coded salt string is not encoded, it can protect you if your database is compromized but your code is not.

Example:
$key = 'aksjdfkwierieujksdkjfdkeurie3948398493'; // hard coded, used multiple places
$salt = sha1(.$_POST['username'].$key);
$hash = sha1($salt.$password)

Don't store your salt in the database, use a random salt stored in the database, such as user, email, random text that is stored with the record. Then add an additional key (not really a salt) that is not stored in the database. If you can encode your code, even better (but not very common, I guess).




Theme © iAndrew 2016 - Forum software by © MyBB