-1

I am working on a php/mysql login system for a webproject. After looking through SO and alot of articles on the web Ive come up with a basic framework and started writing some code for it. However Ive come to a bit of an impasse in password encryption.

After a nights worth of reading Ive found out that:

  • I should the users password with at least sha1 or sha2
  • I should also use a randomly generated salt (this is what I need help with) and append it to the password before encrypting it
  • the hashed password and the randomly generated salt should be stored in the database and then queried and combined/encrypted then checked against the users hashed password.

My problem is coming in randomly generating the salt,

Sam Genest
  • 107
  • 1
  • 12
  • Small remark here: SHA1/2/... is not an encryption algorithm, but a hashing algorithm. Meaning that it's not possible to find the original password from the hash value. Also, in the interest of stopping rainbow table attacks and just as a good security practice, don't hash just once, hash your hash at least 100 times, more if you want. – AVH Mar 15 '12 at 10:11

2 Answers2

0

uniqid() ?

http://sg2.php.net/uniqid

Andreas Wong
  • 59,630
  • 19
  • 106
  • 123
0

Possibilities I can think of:

  • Use mt_rand() in a loop to pick an ASCII code, get the corresponding character with chr() and concatenate to salt.

    This allows to create salts with any length.

  • Define a string with available characters, use mt_rand() in a loop to pick random positions from it, extract the character in the selected position with substr() or mb_substr() and concatenate to salt.

    This allows to create salts with a chosen character set and length.

  • Use a builtin function that generates a random string (e.g. uniqid()) and optionally hash it.

    This is quick and simple.

I normally use the second option.

Álvaro González
  • 142,137
  • 41
  • 261
  • 360