Does a salt increase security with PHP 5.5's hashing function

Question

I know that PHP 5.5's new hashing function doesn't have to use a user-specified salt, but would it increase security? I've been doing a bit of reading and from what I understand, the hashing function uses a random salt each time which it can retrieve from the hash value when it comes time to verify a hash. But would there be any advantage at all to generating your own salts and using them? Any detriment?

Answer 1

I know that PHP 5.5's new hashing function doesn't have to use a user-specified salt, but would it increase security?

Assuming you are talking about password_hash, then no. It has all the salt you need built-in and there would be no advantage to adding any more.

No detriment either, except that more code = more complexity = more likelihood of bugs.

Answer 2

Seems you've got a few misunderstandings here.

Once the hash is generated, the whole idea is that it is completely one way. That means, from the message digest of a secure hashing algorithm, there is no way to know what the salt was. I've seen people store the salt in another column, for example.

Salts are designed to create entropy in your message digest set. And to prevent attacks using Rainbow tables. The salt adds an element of randomness to the message digest, beyond what the algorithm and the original value can do.

The detriment to trying to be clever and using your own hash is the realisation that you're probably not as clever as the security experts who wrote the APIs available to you. Seriously, when it comes to security, you can't leverage it against your mind. The human brain is prone to faults; it's why we work in teams. And a team of experts made random hash generators for you. Seriously, use them.