We help IT Professionals succeed at work.

PHP - Should Salt be stored in a database or code?

petewinter
petewinter asked
on
I am setting up password encryption using PHP blowfish.

The tutorial I am following suggests having individual user generated salts stored in the database instead of a single salt in the php code. I understand that individual salts for each user is good, but doesn't that mean that if a hacker got access to the database they would have access to both the hashed salt and hashed password? Isn't it safer to separate them. I have looked at Wordpress code and they seem to have the salt in the php wp-config.php file, unless I have missed something?

Which is better?
Comment
Watch Question

Software Developer
Commented:
One single salt means a table for hashes only needs to be computed for that single salt. And don't assume your code is safer than your database. Also, you only think of the case the passwords are of interest only, eg to attack other accounts. But if a hacker has hands on data why would he need passwords at all, when the goal is to get at data?

So an individual hash has a great advantage of needing to crack every single hash. The salt is of help, but not of much help, no.

Todays typical solutions store salt+hash in one value of the users table and it's well known to the underlying algorithm/hashing code used, what part of the value is salt and hash, so again, no the salt is not valuable info making things unsafer, unless all salts are same. The main security feature is having random salts for every hash.

That said nothing speaks against also adding a general salt (or pepper) in code, but typical PHP functions like crypt('Password','$2a$04$Salt'+'Pepper') would also add the Pepper in the result value.

Bye, Olaf.
Scott FellDeveloper & EE Moderator
Fellow 2018
Most Valuable Expert 2013
Commented:
If somebody breaks in to your server, you have other issues.

I think the reason that is suggested is if somebody is trying to brute force or another manner by testing your log in system, it will be that much harder to figure out if the salt varies.  

If they break in, they have everything anyway.  I

Author

Commented:
Thanks. I understand now.
Most Valuable Expert 2017
Distinguished Expert 2019

Commented:
Most Valuable Expert 2011
Top Expert 2016

Commented:
Looks like this was opened and closed so fast that I missed it.  There is some discussion and links associated with issues of storing / salting passwords in the trailer to this article.
https://www.experts-exchange.com/articles/2391/PHP-Client-Registration-Login-Logout-and-Easy-Access-Control.html

Search for "About Storing Passwords."