Solved

PHP - Should Salt be stored in a database or code?

Posted on 2016-08-19
5
70 Views
Last Modified: 2016-08-20
I am setting up password encryption using PHP blowfish.

The tutorial I am following suggests having individual user generated salts stored in the database instead of a single salt in the php code. I understand that individual salts for each user is good, but doesn't that mean that if a hacker got access to the database they would have access to both the hashed salt and hashed password? Isn't it safer to separate them. I have looked at Wordpress code and they seem to have the salt in the php wp-config.php file, unless I have missed something?

Which is better?
0
Comment
Question by:petewinter
5 Comments
 
LVL 29

Accepted Solution

by:
Olaf Doschke earned 250 total points
ID: 41762112
One single salt means a table for hashes only needs to be computed for that single salt. And don't assume your code is safer than your database. Also, you only think of the case the passwords are of interest only, eg to attack other accounts. But if a hacker has hands on data why would he need passwords at all, when the goal is to get at data?

So an individual hash has a great advantage of needing to crack every single hash. The salt is of help, but not of much help, no.

Todays typical solutions store salt+hash in one value of the users table and it's well known to the underlying algorithm/hashing code used, what part of the value is salt and hash, so again, no the salt is not valuable info making things unsafer, unless all salts are same. The main security feature is having random salts for every hash.

That said nothing speaks against also adding a general salt (or pepper) in code, but typical PHP functions like crypt('Password','$2a$04$Salt'+'Pepper') would also add the Pepper in the result value.

Bye, Olaf.
0
 
LVL 52

Assisted Solution

by:Scott Fell, EE MVE
Scott Fell,  EE MVE earned 250 total points
ID: 41762119
If somebody breaks in to your server, you have other issues.

I think the reason that is suggested is if somebody is trying to brute force or another manner by testing your log in system, it will be that much harder to figure out if the salt varies.  

If they break in, they have everything anyway.  I
0
 

Author Closing Comment

by:petewinter
ID: 41762165
Thanks. I understand now.
0
 
LVL 53

Expert Comment

by:Julian Hansen
ID: 41762549
2
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 41763637
Looks like this was opened and closed so fast that I missed it.  There is some discussion and links associated with issues of storing / salting passwords in the trailer to this article.
https://www.experts-exchange.com/articles/2391/PHP-Client-Registration-Login-Logout-and-Easy-Access-Control.html

Search for "About Storing Passwords."
1

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now