Using password hashing with prepared statements and pepper

Im trying to make my registration system a lot more secure and im still trying to figure out the best way to hash password. Ive tried two sets of code, one with “pepper”, which doesnt work and another with the normal hashing which does work.

$stmt = $conn->prepare ("insert into admin(Adminfnam,Adminlnam,DOB,Aemail,AAddress,APosition,Apassword) values(?,?,?,?,?,?,?)"); //Insert query to register a person
$stmt ->bind_param("sssssss",$fname,$lname,$dob,$email,$address,$position,$pwd_hashed);

        $fname = $_POST["fname"];
        $lname = $_POST["lname"];
        $dob = $_POST["dob"];
        $email = $_POST["email"];
        $address = $_POST["address"];
        $position = $_POST["position"];

        $pepper = getConfigVariable("pepper");
        $password = $_POST["password"];
        $pwd_peppered = hash_hmac("sha256", $password, $pepper);
        $pwd_hashed = password_hash($pwd_peppered, PASSWORD_ARGON2ID);

        $stmt-> execute();
    echo "Registered";

    $stmt-> close();

The error i get is Call to undefined function getConfigVariable(). The poster on this site https://www.php.net/manual/en/function.password-hash.php says “so a pepper stored in a config file would still be out of reach for the attacker”. Might be a dumb question but what does he mean when he says config file cz thats where my error points.

the other code i tried, from a different site which works is
$stmt = $conn->prepare ("insert into admin(Adminfnam,Adminlnam,DOB,Aemail,AAddress,APosition,Apassword) values(?,?,?,?,?,?,?)"); //Insert query to register a person
$stmt ->bind_param("sssssss",$fname,$lname,$dob,$email,$address,$position,$hashedpassword);

        $fname = $_POST["fname"];
        $lname = $_POST["lname"];
        $dob = $_POST["dob"];
        $email = $_POST["email"];
        $address = $_POST["address"];
        $position = $_POST["position"];
        $password = $_POST["password"];
        $hashedpassword = password_hash($password, PASSWORD_DEFAULT);
        $stmt-> execute();

So what im asking is whats wrong with my pepper code and which of these blocks of code would be more secure and why?

I believe getConfigVariable() isn’t a standard function, but a Smarty function which has been replaced by getConfigVars().
But the short answer is: There is no need to do this to your passwords with password_hash(), the recommendation is to just use it as is.

Something something something validate input.

For testing, you could simply replace:

$pepper = getConfigVariable("pepper");
with
$pepper = 'some impressively long random string';

getConfigVar is apparently some function the poster used to read config values. Your app probably has a config file of some sort somewhere. Take a look at where your database credentials are stored. This is where you would probably want to add your pepper value and then access it through the same process you used to access your database connection information.

Is it worth adding a pepper? I personally don’t see it used much anymore. Modern hashing algorithms are pretty secure as is. And the fact that you can never change the value (and still verify a password) can possibly lead to it’s own issues. But I don’t think it hurts.

1 Like

The password_hash function automatically creates a random salt when it is used, so there is absolutely no need for it.
I don’t recall the source, but I’m sure I read that it is discouraged as it actually makes the resulting hash weaker.

1 Like

I read the same thing about adding your owns salts since password hash gets its stuff updated but I thought pepper was something else that could be paired with this to make it stronger? Unless I was mistaken. Probably mistaken.

I poked around a bit more and I could not find any source indicating the peppering actually makes hashes weaker.

1 Like

But does it make them stronger? If not it seems pointless complexity.

Given that password_hash stores the salt as well as all the hasher algorithm parameters as part of the hash then adding a site specific pepper that the attacker would not have access to seems like it would have value.

I’m more than willing to be proven wrong but I have not found any expert opinions as of yet.

2 Likes

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.