After reading about salts password hashing Id like to implement a simple version for an admin area to a site Im building.
If you have any good links with code that have
There are so many ways you can create a salt string, but i think you don't need to think a lot about your salt strength.
I hash passwords like this
$hash = sha1(strlen($password) . md5($password) . $salt);
I think its the best performance between speed, and "security".
function salt($lenght = 9) {
$numbers = '0123456789';
$chars = 'qwertzuiopasdfghjklyxcvbnm';
$password = '';
$alt = time() % 2;
for ($i = 0; $i < $length; $i++) {
if ($alt == 1)
{
$password .= $chars[(rand() % strlen($chars))];
$alt = 0;
} else
{
$password .= $numbers[(rand() % strlen($numbers))];
$alt = 1;
}
}
return $password;
}
Could you use the built in crypt(...)
function?
... Usage ...
crypt('rasmuslerdorf', '$1$rasmusle$')
... Result ...
MD5: $1$rasmusle$rISCgZzpwk3UhDidwXvin0
... There are more examples and other hash methods available in the documentation.
the code is simple, and dan heberden has already provided it.
a salt is simply a piece of text that you append or prepend to a password before generating a hash. eg, if your password is 'password' and the salt is 'salt' then the hash will be hashFunction('saltpassword')
instead of hashFunction('password')
.
salts are generally used to avoid rainbow password cracks - this is where a large list of passwords and their hashes are checked against the hashed password. eg in the above example, say there is a hash 123456 which corresponds to hashFunction('password')
, if the attacker knows your hash is 123456 then they know your password is 'password'.
your salt should be a random string of letters and numbers - eg kjah!!sdf986. it's very very unlikely for someone to have a rainbow table including kjah!!sdf986password so even if someone gets your hashed password then it's kinda useless.
however, you obviously need to use the same salt every time, or at least store the salt as well as the password. because if you pick a random salt every time chances are your hashed salt+password will not be the same :D
Registration process: User enters a password. System generates a salt value from random data (could be a hash of the time & PID or something). Systems generates a hash value of the password & salt value and stores both of these in the registration table.
Login process: User enters a password. System pulls the salt value from the database and hashes it and the password and compares that against the hashed password value put into the database during registration.
The plaintext password is never stored in the database. The salt value is never visible to the client.
I don't have a link to available code, but what I've done in the past is to generate a randomized salt - $salt = rand(1,1000000000);
- and save it in a session. I pass that salt to a login page and then use JavaScript to create a SHA hash of the salt + password which is submitted rather than a plaintext password. Since the salt is stored in the session I can then use that to see if the login hash matches the salt + password hash stored in the db.
function encodePwd($salt, $string) {
return sha1( $salt . $string );
}
think about salt randomization for a minute though. Password encoding specifically.
If i have salt of "random" and a password of "complex", my sha1 would be
e55ec45f2873a04d2b888a5f59dd3f9d3bb25329
that's stored in the database. I want to check against that.
So when a user supplies me "complex" as a password, i tag "random" in front of it and encode it to get the same hash. If they equal, then bazinga! i'm set.
But what if that was random?
salt when it was stored: "random"
SHA1: e55ec45f2873a04d2b888a5f59dd3f9d3bb25329
salt when the user put it in: "apple"
SHA1: e07b207d77a0bd27d321552fc934b186559f9f42
how am i going to match those?
If you are looking for a more secure method, use data that you have and that is constant like the username or id of user or something (preferably something that won't change). You need a pattern you can rely on.
username would work good (you'd have to make sure to update password if they ever changed the username) that way authentication could look like
`WHERE `username` = '&username' AND `password` = '" . encodePwd( $username, $password ) . "'"`
function encodePwd( $username, $password) {
// maybe modify username on a non-random basis? - like
// $username = sha1( substr($username, 2)); // assuming usernames have a min-length requirement
return sha1( $username . $password ) ;
}