I’ve finally started to test my abilities and am creating applications that feature user authentication. As of right now I am just sha1 hashing user passwords before storing them in the database. I know this is not very secure but my application is for self-education purposes only.
I’ve been reading about salts and am wondering which methods are most effective in using them. For instance, generating a random length, random value salt and appending it to the password. But this salt would also have to be store in the database, which makes me think that if a hacker gains access to the database they can easily recover the passwords.
A different approach I was looking into would be generating a salt based on the username for instance, performing an algorithm, and appending that salt to my password prior to hasing. This would be done in the actual php code, which would not be visible to a hacker if database access is gained.
Another method I’ve heard of that is available in newer versions of PHP is the crypt() function or bcrypt() function. Which actually salts the hash itself as part of its algorithm.
My main issue however is if a hacker gains access to my database isn’t all hope lost anyways? They don’t need the password to view all of the user’s information but can traverse the database and use m primary keys to link information to my users.
What security practices would you recommend in securing my user’s passwords and the database itself if someone has gained access to it?
For instance, generating a random length, random value salt and appending it to the password. But this salt would also have to be store in the database, which makes me think that if a hacker gains access to the database they can easily recover the passwords.
Yes and no. Knowing the salt won’t easily give them the raw password based on the stored PW hash. They’d need to rebuild a new rainbow table, based on that salt to generated hashes for all the dictionary. And they’d have to do that separately for every user if each user has a different salt. Quite a bit of work.
A different approach I was looking into would be generating a salt based on the username for instance, performing an algorithm, and appending that salt to my password prior to hasing. This would be done in the actual php code, which would not be visible to a hacker if database access is gained.
Or they may have gained access to your PHP (and server in general) on their way to getting DB access.
Salting and hashing passwords is about keeping the raw password safe. So a hacker can’t then use that same users password to gain access to other sites they have accounts with. You’re right that if a hacker is freely browsing your DB it’s all over.
Both MD5 and SHA1 can be cracked if you don’t use a salt.
With a single salt they both become harder to crack as existing rainbow tables etc can’t be used.
With a separate salt for each someone can’t work in bulk and hope to crack any one account - they’d have to target a specific account.
The current recommended minimum hashing algorithm to use for passwords is sha256. This to would be more secure with a salt or salts. sha384 or sha512 would be even more secure.
