?
Solved

What is SALT in crypt function?

Posted on 2004-09-18
5
Medium Priority
?
669 Views
Last Modified: 2012-05-05
What is SALT and what are it's uses?
0
Comment
Question by:chilled2003
  • 2
  • 2
5 Comments
 
LVL 36

Expert Comment

by:Zyloch
ID: 12090803
Hi chilled2003,

A salt is a random string that you can use with crypt to make it more secure. If you don't include it, PHP will automatically generate a two character salt. However, you can do it yourself, for instance, using microtime() to make the salt--this way, it'll be harder to break.

Regards,
Zyloch
0
 

Author Comment

by:chilled2003
ID: 12090815
yeah but how does it make it more secure?  I read somewhere that one uses a random salt so the result is diff everytime.  that sounded good but wouldnt you need the same salt to unencrypt it?  
0
 
LVL 48

Assisted Solution

by:hernst42
hernst42 earned 100 total points
ID: 12090835
The random salts are used so the same password does not look the same.
The salt is prepended to the crypted password so can get the salt by takeing the first two characters.

So if an attacker get al list of salted password and want to crack the password he must do that with ervery salt-combination.
0
 
LVL 36

Accepted Solution

by:
Zyloch earned 200 total points
ID: 12090844
Mainly, the salt is used to make it more difficult for the person to get the password. crypt() is supposedly a one-way function, meaning you can't decrypt. However, the person can still guess the password, but with a different salt, it's extremely difficult. I correct myself, you don't want microtime() as a salt because it changes. You set something as the salt, then you can use crypt again with that salt to get the same value. A standard example is password checking. The user enters their password, you use crypt with a salt on it and store it in the database. The next time they login, you take their entered password, do crypt with the same salt, and compare it. This way, the password stays secure as even if they get the database version, they can't find the true password.

(You might also want to use SHA1 or MD5 for this as crypt() isn't as secure)
0
 

Author Comment

by:chilled2003
ID: 12090859
Thanks a lot for all the info.  Helps a lot.  :D
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses how to implement server side field validation and display customized error messages to the client.
The title says it all. Writing any type of PHP Application or API code that provides high throughput, while under a heavy load, seems to be an arcane art form (Black Magic). This article aims to provide some general guidelines for producing this typ…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question