CODEWITHSUNDEEP
phpsecurityhashsalt-cryptography
Prorzar Mladek
Prorzar Mladek

Reputation: 3

is this ok? salting

Hey i would like do have your input on this

I use this to generate unique salts to each of my users when they register (random letters and numbers). how big is the chance that salts will colide?

uniqid(mt_rand());

I then use md5 to hash salt, password and email(in that order) together as password and rehash when they log-in.

md5($salt . $password . $email);

How much safer than just md5 is this? Something i can improve?

CREATE TABLE IF NOT EXISTS `users` (
`id` mediumint(8) unsigned NOT NULL AUTO_INCREMENT,
`username` varchar(24) CHARACTER SET utf8 NOT NULL,
`password` varchar(32) CHARACTER SET utf8 NOT NULL,
`email` varchar(255) CHARACTER SET utf8 NOT NULL,
`salt` varchar(255) CHARACTER SET utf8 NOT NULL,
 PRIMARY KEY (`id`),
 UNIQUE KEY `username` (`username`),
 UNIQUE KEY `email` (`email`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;

Upvotes: 0

Views: 402

Answers (5)

meme
meme

Reputation: 12197

You might also consider using SHA256 we are seeing more and more exploits with MD5. SHA256 will require additional storage space due to the length of the hash results, but I think it is worth it.

$hashed = hash('sha256', $per_user_salt . $password . $app_salt );

Note: this does require PHP 5.1.2 or greater.

Upvotes: 0

xtofl
xtofl

Reputation: 41509

getrandmax seems to return a rather big number (2147483647), depending on your platform. The chance that you encounter any given N is hence 1/2147483647.

The chance that you don't encounter N is 1-1/2147483647.

So the chance that you don't encounter the first, secondly, thirdly, ... Pth N becomes the Pth power of (1-1/2147483647).

So the chance you do encounter one of P distributed salts is 1 - (chance you don't encounter any of P salts)

= 1 - (1-1/max)**P

This means a curve going steeply down from about a quarter of a gig salts. (a table from excel):

                        max
                          2,147,483,647
            P = number/salts        ( 1 - 1/max ) ^ P       collission chance
               16777216                    0                   1%
               33554432                    0                   2%
               67108864                    0                   3%
              134217728                    0                   6%
              268435456                    0                  12%
              536870912                    0                  22%
             1073741824                    0                  39%
             2147483648                    0                  63%
             4294967296                    0                  86%
             8589934592                    0                  98%
            17179869184                    0                 100%

Upvotes: 3

tvanfosson
tvanfosson

Reputation: 532455

I wouldn't use the email address in the password hash. If a person changes their email address it would invalidate the hashed password and thus you'd have to have the user change their password every time they change their email address. I typically use a salt per user and a salt per application (fixed for all users). This way an attacker would need access to both your application and your user database to gain access.

$hashed = md5( $per_user_salt . $password . $app_salt );

Upvotes: 4

Alex Reitbort
Alex Reitbort

Reputation: 13696

It does not matter if they collide. The purpose of the salt is that if you hash the same value twice but with different salts, the result will be different.If attacker aquires you databases of hashes, salt will renders ineffective attack with pre-calculated database of hashes of known passwords. The salt itself is not a secret and collisions of salts is not a problem.

Upvotes: 13

powtac
powtac

Reputation: 41050

They will never colide.

....maybe once in 10000000000000000.

Upvotes: -1

Related Questions