Should I add salt from a custom randomly generated method to my hashed password? PHP

Question

I am creating a log in system with database and wanted to ask about hashing passwords. I currently use the function password_hash() in PHP and in addition I add a custom random string of 20 characters. Looks something like this:

 $salt = generateRandomString();
 $hashedPwd = password_hash($pwd + $salt, PASSWORD_DEFAULT);

And the function:

function generateRandomString($length = 20) {
   $characters='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()_+{}|[]/?~`';
   $charactersLength = strlen($characters);
   $randomString = '';
   for ($i = 0; $i < $length; $i++) {
       $randomString .= $characters[rand(0, $charactersLength - 1)];
   }
   return $randomString;

I also later send the random string to the database and verify it together with the password when logging in.

My question is whether I need the extra string? Keep in mind that I want this to be as secure as possible.

Answer 1

Firstly, don't generate a random string and including it during the hashing / storage process.

It will fail with password_verify() during verification, since it won't have any idea as to what the added salt was since it's not part of its core process.

My question is whether I need the extra string?

A: No and I already said this above.

Why? First it won't work, and it's not needed.

password_hash() generates its own.

If you really want to add your own salt to it, then drop the method you're using that adds to the hash. It's listed in the manual.

You should be careful though, as, and I quote:

"Warning The salt option has been deprecated as of PHP 7.0.0. It is now preferred to simply use the salt that is generated by default."

Note: You should heed the warnings that are also in the manual's Notes:

Caution

It is strongly recommended that you do not generate your own salt for this function. It will create a secure salt automatically for you if you do not specify one.

As noted above, providing the salt option in PHP 7.0 will generate a deprecation warning. Support for providing a salt manually may be removed in a future PHP release.

Since you appear to be new at this; if you're not already using a prepared statement to store and retrieve data, then I highly suggest you look into using them.

• https://en.wikipedia.org/wiki/Prepared_statement

It will help against an possible SQL injection.

• https://en.wikipedia.org/wiki/SQL_injection

---

Keep in mind that I want this to be as secure as possible.

There is something you can use which was introduced in PHP 7.2.0, and that is Argon2.

For more information on this, consult the following:

• https://www.argon2.com/
• https://en.wikipedia.org/wiki/Argon2
• Password hashing security of argon2 versus bcrypt/PBKDF2?
• https://secure.php.net/manual/en/function.password-hash.php

It doesn't get as secure as that.

Answer 2

If your worried about security and want to add a hash you would need to manually make one and add it on both ends of your hashed password and then include it in your registration and login when checking the database

Answer 3

As of PHP 7.0.0 the salt option has been deprecated and, as you can find on PHP's website, there is a warning that reads:

Warning The salt option has been deprecated as of PHP 7.0.0. It is now preferred to simply use the salt that is generated by default.

This is an option provided when using PASSWORD_BCRYPT as the algorithm. Also note that:

Caution Using the PASSWORD_BCRYPT as the algorithm, will result in the password parameter being truncated to a maximum length of 72 characters.

One thing I can tell you, although not related to security, is that you should check for the proper cost of your hash, in order to make it more efficient as well as secure.

All of the above and more, including a script to check what's the proper cost for your server's performance, can be found here in the documentation.

Furthermore, there is another caution that reads:

Caution It is strongly recommended that you do not generate your own salt for this function. It will create a secure salt automatically for you if you do not specify one.

Answer 4

password_hash generates its own salt value, so there's no need to provide one

http://php.net/manual/en/function.password-hash.php