Solved

What is SALT in crypt function?

Posted on 2004-09-18
5
644 Views
Last Modified: 2012-05-05
What is SALT and what are it's uses?
0
Comment
Question by:chilled2003
  • 2
  • 2
5 Comments
 
LVL 36

Expert Comment

by:Zyloch
ID: 12090803
Hi chilled2003,

A salt is a random string that you can use with crypt to make it more secure. If you don't include it, PHP will automatically generate a two character salt. However, you can do it yourself, for instance, using microtime() to make the salt--this way, it'll be harder to break.

Regards,
Zyloch
0
 

Author Comment

by:chilled2003
ID: 12090815
yeah but how does it make it more secure?  I read somewhere that one uses a random salt so the result is diff everytime.  that sounded good but wouldnt you need the same salt to unencrypt it?  
0
 
LVL 48

Assisted Solution

by:hernst42
hernst42 earned 25 total points
ID: 12090835
The random salts are used so the same password does not look the same.
The salt is prepended to the crypted password so can get the salt by takeing the first two characters.

So if an attacker get al list of salted password and want to crack the password he must do that with ervery salt-combination.
0
 
LVL 36

Accepted Solution

by:
Zyloch earned 50 total points
ID: 12090844
Mainly, the salt is used to make it more difficult for the person to get the password. crypt() is supposedly a one-way function, meaning you can't decrypt. However, the person can still guess the password, but with a different salt, it's extremely difficult. I correct myself, you don't want microtime() as a salt because it changes. You set something as the salt, then you can use crypt again with that salt to get the same value. A standard example is password checking. The user enters their password, you use crypt with a salt on it and store it in the database. The next time they login, you take their entered password, do crypt with the same salt, and compare it. This way, the password stays secure as even if they get the database version, they can't find the true password.

(You might also want to use SHA1 or MD5 for this as crypt() isn't as secure)
0
 

Author Comment

by:chilled2003
ID: 12090859
Thanks a lot for all the info.  Helps a lot.  :D
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Deprecated and Headed for the Dustbin By now, you have probably heard that some PHP features, while convenient, can also cause PHP security problems.  This article discusses one of those, called register_globals.  It is a thing you do not want.  …
I imagine that there are some, like me, who require a way of getting currency exchange rates for implementation in web project from time to time, so I thought I would share a solution that I have developed for this purpose. It turns out that Yaho…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now