Hey guys,
I have been following some tutorials and they mentioned that you need to use salt but someone told me that i don’t need to use salt. I would appreciate some advice here because this person is trying to help me with my database.
Contrary to popular belief, a pinch of salt when boiling water for pasta isn’t required. Assuming, however, you mean for password hashing:
- Yes, passwords should be hashed using salts
- You should not do this yourself and just use password_hash/password_verify, which handles the security for you and was created by people who know a lot more about this than you or I.
9 Likes
Thanks for the reply… i am trying to get someone to assist me with my database, he advised me not to use salt because there is verify, should i tell him to use salt? Any security i should be concerned about when getting him to help me with my database?
It sounds like he’s in favor of password_hash which handles salt for you and outputs it as a single bcrypt string. You don’t need to hash and salt this yourself.
I am concerned because i am new to php and database. Can they hack your database?
From
Mervin
Your database can be hacked. Everything put online can be hacked. The reason you want to encrypt your passwords with a 1 way encryption, is to prevent the hackers from gaining your user’s passwords in the event that your site is hacked. Low traffic sites with inexperienced developers are actually a primary target for a lot of hackers, because it will give them access to poorly secured user passwords, and a lot of users use the same password for many sites, which will allow them to get into a lot more systems.
If you do not salt them individually and just use a hashing algorithm, all they need to do is run the passwords against a precomputed list of hashed strings, which you can find online.
If you salt them with a single salt that is not unique to each password, then the hackers can compute their own list of precomputed hashed strings for your site. This will allow them to get access to the majority of your user’s passwords.
If you salt them correctly, where each instance of a password has it’s own unique salt. Then it could theoretically take the hackers years to break the hash of a single password. PHP’s password_hash/password_verify handles this for you magically. It uses a very secure bcrypt hashing algorithm that includes a unique randomly generated salt for every time a new password is stored. You can also change password_hash to use a different algorithm, but you shouldn’t do that.
Hashing algorithms and methodologies aren’t unique to PHP. But, PHP.net actually has one of the best explanations of what it is and why it’s important that I know of.
4 Likes
To clarify what has been said, a hash should be salted. But if you are using password_hash, which you should be, you don’t need to worry yourself with salt, because it is done automatically.
There are plenty tutorials kicking about still showing old and outdated hashing methods like md5 (among other security faux-pas). If this happens to be one of those, run a mile and don’t look back. These are poison to the php beginner.
1 Like
This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.