Menu
My database stores unique salts for every user.
I'm creating a login script in php for an application where each user has it's own unique salt and here's how I plan to implement the login.
I need the script to return the salt for that user because otherwise how would my app verify that the submitted password is correct when it cannot hash the password without the salt and send it back?
Now here's what I'm unsure about. Does it matter whether the salt is encrypted or not because a hacker could just see what it is and see the password hash and maybe could do something with it. Should I encrypt the salt before I send it?
Maybe I'm not understanding/overlooking something in the replies below.
Advice needed please.
745
It doesn't matter if your salts are hashed or left as plain strings - the important point is that salting a password prevents the direct use of dictionary/rainbow table attacks to brute-force crack passwords. An added advantage is that each user has a different hashed password as a result.
Salts are randomly generated string that are created server-side and don't involve any kind of transmission to or from the browser.
On your server:
// Password from form
$pw = $_GET['password'];
// Generate salt using unique values
$salt = (rand(8).$registration_date.$username);
// Password to be hashed
$pwthb = ($pw.$salt);
If a hacker gains access to your databases, then your game is over in the majority of cases as you need to store the initial random salt to hash it for comparison.
A simple example:
Note: hashing can be done using PHP or using MySQL/DB functions
When the user returns:
In terms of further reading, It's probably worth looking over the following:
117
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
