Reputation: 143
Must I generate an additional salt, even though password_hash() already provides a salt?
In using PHP's native password_hash() function, must (or should) I generate my own salt even though (to my understanding), it can already create a salt as seen here in this example (provided by http://www.php.net):
<?php
/**
* Note that the salt here is randomly generated.
* Never use a static salt or one that is not randomly generated.
*
* For the VAST majority of use-cases, let password_hash generate the salt randomly for you
*/
$options = [
'cost' => 11,
'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM),
];
echo password_hash("rasmuslerdorf", PASSWORD_BCRYPT, $options)."\n";
?>
Currently I've been hashing using sha512 and generating a 38,500 character salt. (I wasn't sure if character count really mattered, so I tried anyways… it seems to have worked, as in allowing me to register and login users successfully, but I know not the whole security flaws of this) Something like this:
<?php
$Salt = str_repeat(hash("sha512", uniqid(time())), 40);
?>
Pretty odd, but when it comes to cryptography I have a lot to learn. (here's a link to one of the salts https://shrib.com/F7lB9Ycf) Now if I were to add an additional salt (if you were to say yes, salt again), then how would I append the salt in using password_verify()?
Thanks in advance to any who could help!
Upvotes: 2
Views: 284
Answers (2)
Reputation: 24071
You should not generate your own salt, because the function password_hash() does it as best as possible, using the random source of the operating system. In other words, you won't be able to generate a better salt, though you could do it worse.
// Leave out a salt in the options
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT, array("cost" => 11));
There is absolutely no advantage of generating a salt with 38500 characters. Depending on how the salt is added, it could even reduce security, when you use an algorithm with a maximum length for passwords (as BCrypt does). Usually a salt is about 20 bytes.
A salt should protect you from rainbow-table attacks. A rainbow-table would have to be built for exactly this salt, because brute-forcing a random 20+ password is impossible nowadays. If you add a unique salt for each password, an attacker would have to build a rainbow-table for each password. If you are interested in more information you can have a look at my tutorial about safely storing passwords.
Upvotes: 1
Reputation:
password_hash() generates its own salt. No need to salt again.See this from the PHP Reference: If omitted, a random salt will be generated by password_hash() for each password hashed. This is the intended mode of operation.
Upvotes: 0
Related Questions
- Understanding bcrypt salt as used by PHP password_hash
- PHP - hashing passwords with bcrypt
- Is it necessary to password_hash again when first password_hash already valid ? I'm newbie
- Is PHP password salt really necessary?
- PHP password_hash() / bcrypt
- Determining the salt from a password_hash()
- bcrypt and randomly generated salts
- Do I need unique salts with bcrypt in PHP?
- Using BCrypt, and generating salts
- When using PHP's crypt() function to create a bcrypt hash, do I need a salt?