SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    masquerading Nick's Avatar
    Join Date
    Jun 2003
    Location
    East Coast
    Posts
    2,215
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question [Salt] Security with user registration/login?

    I've always managed user registration/logging in with one password column, varchar(32) held in md5 format. I've heard about using a "salt", though, for extra security. I don't know what this is or how it works. Any help?
    Nick . all that we see or seem, is but a dream within a dream
    Show someone you care, send them a virtual flower.
    Good deals on men's watches

  2. #2
    ********* Genius Mike's Avatar
    Join Date
    Apr 2001
    Location
    Canada
    Posts
    5,458
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    PHP Code:
    $password md5$user_password "This is a salt"); 
    THe premise behind it is if someone somehow got the session info or cookie info (or db) and found the md5 hash of the password, they wouldn't be able to brute force crack it.
    Mike
    It's not who I am underneath, but what I do that defines me.

  3. #3
    Umm. PHP Guru....Naaaah jaswinder_rana's Avatar
    Join Date
    Jul 2004
    Location
    canada
    Posts
    3,193
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i prefer sha1() (because it's, i heard somewhere, is better than MD5)
    ---------------------------
    Errors = Improved Programming.
    My Site

  4. #4
    SitePoint Wizard Young Twig's Avatar
    Join Date
    Dec 2003
    Location
    Albany, New York
    Posts
    1,355
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I generally use a random salt (md5(microtime()) and store it in the database row with username, pass, etc.

    Quote Originally Posted by jaswinder_rana
    i prefer sha1() (because it's, i heard somewhere, is better than MD5)
    As far as I know, it's just less common. If you have a link or anything, please post it.

  5. #5
    Umm. PHP Guru....Naaaah jaswinder_rana's Avatar
    Join Date
    Jul 2004
    Location
    canada
    Posts
    3,193
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i use this function to create salt
    PHP Code:
            function getSecStr($num=5)
            {
                
    $key '';
                for(
    $i 1$i <= $num$i++)
                    
    $key .= chr(rand(0,254));
                return 
    $key;
            } 
    which on copying, doesn't copy the actual string, because of some weird characters in it. i tried to copy one string and then generate the password and din't wrk becaue of those weird charcters in it.
    ---------------------------
    Errors = Improved Programming.
    My Site

  6. #6
    masquerading Nick's Avatar
    Join Date
    Jun 2003
    Location
    East Coast
    Posts
    2,215
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    So, when the user registers, you create a random salt, and also store that value in the database? So then when a user logs in, how does that work with the salt?
    Nick . all that we see or seem, is but a dream within a dream
    Show someone you care, send them a virtual flower.
    Good deals on men's watches

  7. #7
    Umm. PHP Guru....Naaaah jaswinder_rana's Avatar
    Join Date
    Jul 2004
    Location
    canada
    Posts
    3,193
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    when user comes in you run a query

    select password,salt from user where username='$username';

    and if the queery return something then user exists not what you do is

    if(password == sha1(password_by_user + salt))
    {
    user is good
    }

    when you do sha1(password_by_user + salt), it should be used exactly the same way as it was used while login as for me

    sha1(sha1(password_by_user)+salt)

    ofcourse in PHP its .(dot) not +
    ---------------------------
    Errors = Improved Programming.
    My Site


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •