Databases
StackOverflow2013
Postsdbo
POLooking to arrive at a usable solution for password salting in a PHP/MySQL application?
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POLooking to arrive at a usable solution for password salting in a PHP/MySQL application?
    text
    copied!<p>After reading about password hashing/salting for an entire day (no lie!), I'm in need of arriving at a solution that works, can be used consistently, and is about secure <strong>enough</strong> for a variety of different sites/applications that are using a shared codebase.</p> <p>So, here's an idea of a MySQL user table:</p> <pre><code>users { id, username, password_hash, password_salt } </code></pre> <p>..and pseudo-ish code:</p> <pre><code>$s_algo = 'sha1'; $i_iterations = 1000; $s_password = 'mypw123xyuACE&amp;.!3'; $s_salt = hash($s_algo,uniqid(mt_rand(),true)); $s_result = $s_password; for ($i = 0; $i &lt; $i_iterations; $i++) { $s_result = hash($s_algo,$s_result . $s_salt); } echo 'Password: ' . $s_password . "\n"; echo 'Algorithm: ' . $s_algo . "\n"; echo 'Iterations Completed: ' . $i . "\n"; echo 'Salt : ' . $s_salt . "\n"; echo 'Result: ' . $s_result . "\n"; echo 'Length: (Salt:) ' . strlen($s_salt) . ' (Result:) ' . strlen($s_result) . "\n"; </code></pre> <p>The interaction (SQL) between PHP and MySQL is taken as read, as are the bits of PHP code that actually verify the given password from user-land against the stored (salted) hash at authentication time. It's not rocket science. This is from the perspective of already doing all that stuff, but with un-salted hash-only password storage.</p> <p>From my reading I suspect there could be endless debates about what $s_algo should really be (ok, probably NOT md5), and also $i_iterations. So let's just consider that they are <strong>variables</strong> within this problem scenario, which might change according to the specific context, i.e. storage limitations, server load concerns, etc.</p> <p>These things aside, is this methodology for creating a per-user-salted passwords in PHP generally sound? Does the 'for' loop need to be in there at all? Is the initial salt creation code ok? Is the salt-length overkill, storage-wise (equal to the eventual hash length). Please people, pick holes (but not too many!)..</p> <p>Other thoughts:<br> - What about hash_hmac() - is that a critical improvement over multiple hash() iterations?<br> - PBKDF2?</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload