Reputation: 133
Unique generated SALT for each user?
I'd like to ask if it's possible to generate a unique salt for each user and then hash it like
sha1(sha1($password . $salt))
so the $salt is a randomly generated string?.
If yes, how would I encrypt the password on login?
Xenforo uses this, and I am wondering how are they encrypting the passwords if they are using unique salt for each user?.
Many thanks.
Upvotes: 0
Views: 1470
Answers (1)
Reputation: 298156
Don't make your own password hashing algorithm. It's going to be easily crackable and your users won't appreciate their passwords being stolen when your database is compromised.
Bcrypt and other well-tested hashes do this already:
>>> bcrypt.generate_password_hash('password', 15)
'$2a$15$bzaLXuer1C8dtSckDp3AI.eOoL/nOTsSdpjEMyDMcJ3ZQELdRcLzq'
>>> bcrypt.generate_password_hash('password', 15)
'$2a$15$Ye.cFInKhzo1KvAJGSi6yORV5uEqeW.Z1oAhdfi.163Psz4YPA3CO'
The random salt and the number of rounds are stored within the hash itself, separated by a delimiter, which lets the constant-time password checking function pick the salt out of the resulting hash string.
If for some other reason you need to create secure random strings, use openssl_random_pseudo_bytes():
$bytes = openssl_random_pseudo_bytes(64, true);
$hex = bin2hex($bytes);
Upvotes: 6
Related Questions
- PHP: Options to generate an unique user key
- PHP hashed & salted password
- Can this called SALT?
- Generating Strong Unique User ID's w/PHP & MySQL
- Can we use uniqid() to generate a unique Salt in PHP
- Generating unique salt (non-validated example given)
- Hashing (with salts) Username and Password in php
- using sha256 as hashing and salting with user's ID
- Generating salts from other user fields
- salt and hash generation question