Using encryption and salt with Zend Framework 2's Authentication

Question

I'm sort of a beginner, but I've been trying to learn to work with Zend Framework 2. I'm using a module I cloned from a public repo to authenticate users. It uses MD5, like so:

$dbAdapter      = $sm->get('Zend\Db\Adapter\Adapter');
$dbAuthAdapter  = new DbAuthAdapter($dbAdapter, 'user','username','password', 'MD5(?)');

However, first of all I'd like to use something other than MD5 (like SHA-2?), since I've read on several occasions that MD5 isn't secure anymore, and I'd also like to use a salt value. I want to generate a random salt value for each user and store it in their table row in a seperate column, and store their password as the hashed salt + password. That part shouldn't be a problem.

The problem I have with this is how to validate it using the adapter I have set up in the module. I want to get the salt value from the database, prepend it to the password given by the user through the login form, encrypt that, and compare it to the stored password. How do I get the user's salt value from the database? How do I use a different encryption instead of MD5?

Answer 1

I suggest you do a couple of things:

• Add another column to your users table, called salt or something similar. When a user registers, create a salt and store it into this column.
• Store a static salt for your site in a configuration file.
• When a user registers, use a hashing function (sha2 if you like) and concatenate the password, static salt, and custom salt into one string which is hashed.
• Store the hash and ensure you use the same method for checking the password on login.

Here is more information: http://framework.zend.com/manual/2.0/en/modules/zend.crypt.key.derivation.html

The docs hint at this implementation as well: http://framework.zend.com/manual/2.1/en/modules/zend.authentication.adapter.dbtable.html