StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POUsing blowfish in PHP for storing passwords
primarykey
Id
14991698
data
AcceptedAnswerId
14991821
AnswerCount
2
ClosedDate
CommentCount
3
CommunityOwnedDate
CreationDate
2013-02-20T23:13:20.153
FavoriteCount
0
LastActivityDate
2013-02-20T23:54:15.200
LastEditDate
2013-02-20T23:54:15.200
LastEditorUserId
472495
OwnerUserId
998117
ParentId
0
PostTypeId
1
Score
2
ViewCount
1085
LastEditorDisplayName
text
Body
This whole cryptology thing is a lot to swallow, but it's really interesting and I've been reading about it lately. My question is about using blowfish to hash your passwords for storage. I know a salt is needed, but I'm not exactly sure what to do for it. I have some questions. <ol> <li>Many tutorials I read people just seemingly randomly come up with one like "oidsjf03" and use it for all their salts. Do they just mash their keyboard or what?</li> <li>I've also read a lot that says each password should have a unique hash. So I generate a separate salt for each password I store. Then I'd have to store that somewhere. Where, however? If I just store it as an entry in the user's row, if the database was compromised could they not just generate rainbow tables with that salt? Would I be correct in saying this isn't viable, as they'd need to generate a rainbow table for every password, and with blowfish creating each hash would take awhile, so this wouldn't be practical?</li> <li>Why is having a unique one for each user so important? Say you're using blowfish and your database is compromised, and your salt gets captured as well. The hacker could create a rainbow table to test your passwords, but with a good amount of rounds on the hash, it may take 0.1 seconds per password, for instance. If they want to create a rainbow table with 1 billion entries, that's 100 million seconds to create it (or around 3 years). If you used unique salts and had say 1000 passwords, they'd have to create 1000 rainbow tables, increasing the amount of time to 3000 years. Is this why? The amount of time goes up per password stored?</li> <li>How do you generate this salt for the hash? Is PHP's <code>uniqid()</code> function enough or should I be doing some fancy stuff?</li> <li>Do I really need to create a full out class et al, or can I create a simple function?</li> <li>Lastly, I've heard phpass mentioned a lot for its security and how users should just use that instead of potentially making errors themselves. Is this really the recommended practice?</li> </ol>
Tags
<php><mysql><hash><passwords><blowfish>
Title
Using blowfish in PHP for storing passwords
singulars
PostAcceptedAnswerId
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. UShalfer
UserOwnerUserId
1. USDoug Smith
plurals
PostLinksPostIdRelatedPostId
1. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
2. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POUsing blowfish in PHP for storing passwords
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 POUsing blowfish in PHP for storing passwords
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.