?
Solved

PHP - Should Salt be stored in a database or code?

Posted on 2016-08-19
5
Medium Priority
?
158 Views
Last Modified: 2016-08-20
I am setting up password encryption using PHP blowfish.

The tutorial I am following suggests having individual user generated salts stored in the database instead of a single salt in the php code. I understand that individual salts for each user is good, but doesn't that mean that if a hacker got access to the database they would have access to both the hashed salt and hashed password? Isn't it safer to separate them. I have looked at Wordpress code and they seem to have the salt in the php wp-config.php file, unless I have missed something?

Which is better?
0
Comment
Question by:petewinter
5 Comments
 
LVL 30

Accepted Solution

by:
Olaf Doschke earned 1000 total points
ID: 41762112
One single salt means a table for hashes only needs to be computed for that single salt. And don't assume your code is safer than your database. Also, you only think of the case the passwords are of interest only, eg to attack other accounts. But if a hacker has hands on data why would he need passwords at all, when the goal is to get at data?

So an individual hash has a great advantage of needing to crack every single hash. The salt is of help, but not of much help, no.

Todays typical solutions store salt+hash in one value of the users table and it's well known to the underlying algorithm/hashing code used, what part of the value is salt and hash, so again, no the salt is not valuable info making things unsafer, unless all salts are same. The main security feature is having random salts for every hash.

That said nothing speaks against also adding a general salt (or pepper) in code, but typical PHP functions like crypt('Password','$2a$04$Salt'+'Pepper') would also add the Pepper in the result value.

Bye, Olaf.
0
 
LVL 54

Assisted Solution

by:Scott Fell, EE MVE
Scott Fell,  EE MVE earned 1000 total points
ID: 41762119
If somebody breaks in to your server, you have other issues.

I think the reason that is suggested is if somebody is trying to brute force or another manner by testing your log in system, it will be that much harder to figure out if the salt varies.  

If they break in, they have everything anyway.  I
0
 

Author Closing Comment

by:petewinter
ID: 41762165
Thanks. I understand now.
0
 
LVL 61

Expert Comment

by:Julian Hansen
ID: 41762549
2
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 41763637
Looks like this was opened and closed so fast that I missed it.  There is some discussion and links associated with issues of storing / salting passwords in the trailer to this article.
https://www.experts-exchange.com/articles/2391/PHP-Client-Registration-Login-Logout-and-Easy-Access-Control.html

Search for "About Storing Passwords."
1

Featured Post

[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Businesses who process credit card payments have to adhere to PCI Compliance standards. Here’s why that’s important.
The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to count occurrences of each item in an array.
Suggested Courses

599 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question