Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 142
  • Last Modified:

PHP - Should Salt be stored in a database or code?

I am setting up password encryption using PHP blowfish.

The tutorial I am following suggests having individual user generated salts stored in the database instead of a single salt in the php code. I understand that individual salts for each user is good, but doesn't that mean that if a hacker got access to the database they would have access to both the hashed salt and hashed password? Isn't it safer to separate them. I have looked at Wordpress code and they seem to have the salt in the php wp-config.php file, unless I have missed something?

Which is better?
0
petewinter
Asked:
petewinter
2 Solutions
 
Olaf DoschkeSoftware DeveloperCommented:
One single salt means a table for hashes only needs to be computed for that single salt. And don't assume your code is safer than your database. Also, you only think of the case the passwords are of interest only, eg to attack other accounts. But if a hacker has hands on data why would he need passwords at all, when the goal is to get at data?

So an individual hash has a great advantage of needing to crack every single hash. The salt is of help, but not of much help, no.

Todays typical solutions store salt+hash in one value of the users table and it's well known to the underlying algorithm/hashing code used, what part of the value is salt and hash, so again, no the salt is not valuable info making things unsafer, unless all salts are same. The main security feature is having random salts for every hash.

That said nothing speaks against also adding a general salt (or pepper) in code, but typical PHP functions like crypt('Password','$2a$04$Salt'+'Pepper') would also add the Pepper in the result value.

Bye, Olaf.
0
 
Scott Fell, EE MVEDeveloperCommented:
If somebody breaks in to your server, you have other issues.

I think the reason that is suggested is if somebody is trying to brute force or another manner by testing your log in system, it will be that much harder to figure out if the salt varies.  

If they break in, they have everything anyway.  I
0
 
petewinterAuthor Commented:
Thanks. I understand now.
0
 
Julian HansenCommented:
2
 
Ray PaseurCommented:
Looks like this was opened and closed so fast that I missed it.  There is some discussion and links associated with issues of storing / salting passwords in the trailer to this article.
https://www.experts-exchange.com/articles/2391/PHP-Client-Registration-Login-Logout-and-Easy-Access-Control.html

Search for "About Storing Passwords."
1

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now