Solved

PHP - Should Salt be stored in a database or code?

Posted on 2016-08-19
5
56 Views
Last Modified: 2016-08-20
I am setting up password encryption using PHP blowfish.

The tutorial I am following suggests having individual user generated salts stored in the database instead of a single salt in the php code. I understand that individual salts for each user is good, but doesn't that mean that if a hacker got access to the database they would have access to both the hashed salt and hashed password? Isn't it safer to separate them. I have looked at Wordpress code and they seem to have the salt in the php wp-config.php file, unless I have missed something?

Which is better?
0
Comment
Question by:petewinter
5 Comments
 
LVL 29

Accepted Solution

by:
Olaf Doschke earned 250 total points
ID: 41762112
One single salt means a table for hashes only needs to be computed for that single salt. And don't assume your code is safer than your database. Also, you only think of the case the passwords are of interest only, eg to attack other accounts. But if a hacker has hands on data why would he need passwords at all, when the goal is to get at data?

So an individual hash has a great advantage of needing to crack every single hash. The salt is of help, but not of much help, no.

Todays typical solutions store salt+hash in one value of the users table and it's well known to the underlying algorithm/hashing code used, what part of the value is salt and hash, so again, no the salt is not valuable info making things unsafer, unless all salts are same. The main security feature is having random salts for every hash.

That said nothing speaks against also adding a general salt (or pepper) in code, but typical PHP functions like crypt('Password','$2a$04$Salt'+'Pepper') would also add the Pepper in the result value.

Bye, Olaf.
0
 
LVL 52

Assisted Solution

by:Scott Fell, EE MVE
Scott Fell,  EE MVE earned 250 total points
ID: 41762119
If somebody breaks in to your server, you have other issues.

I think the reason that is suggested is if somebody is trying to brute force or another manner by testing your log in system, it will be that much harder to figure out if the salt varies.  

If they break in, they have everything anyway.  I
0
 

Author Closing Comment

by:petewinter
ID: 41762165
Thanks. I understand now.
0
 
LVL 51

Expert Comment

by:Julian Hansen
ID: 41762549
2
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 41763637
Looks like this was opened and closed so fast that I missed it.  There is some discussion and links associated with issues of storing / salting passwords in the trailer to this article.
https://www.experts-exchange.com/articles/2391/PHP-Client-Registration-Login-Logout-and-Easy-Access-Control.html

Search for "About Storing Passwords."
1

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now