Question

I am working on a php/mysql login system for a webproject. After looking through SO and alot of articles on the web Ive come up with a basic framework and started writing some code for it. However Ive come to a bit of an impasse in password encryption.

After a nights worth of reading Ive found out that:

  • I should the users password with at least sha1 or sha2
  • I should also use a randomly generated salt (this is what I need help with) and append it to the password before encrypting it
  • the hashed password and the randomly generated salt should be stored in the database and then queried and combined/encrypted then checked against the users hashed password.

My problem is coming in randomly generating the salt,

Was it helpful?

Solution

Possibilities I can think of:

  • Use mt_rand() in a loop to pick an ASCII code, get the corresponding character with chr() and concatenate to salt.

    This allows to create salts with any length.

  • Define a string with available characters, use mt_rand() in a loop to pick random positions from it, extract the character in the selected position with substr() or mb_substr() and concatenate to salt.

    This allows to create salts with a chosen character set and length.

  • Use a builtin function that generates a random string (e.g. uniqid()) and optionally hash it.

    This is quick and simple.

I normally use the second option.

OTHER TIPS

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top