Reputation: 12341
Is this PHP crypt example correct?
To encrypt:
$encryptedPassword = crypt($password, '$2a$07$usesomesillystringforsalt$');
Should the $usesomesillystringforsalt$ part be randomized or fixed? (I'm guessing fixed, but I want to be sure).
Result example:
$2a$07$usesomesillystringforeHwaCeDEv6rYjbWCzbzsFKwD4sDLktr
Is this a correct encrypted value?
To check if the given password by the user to log in is correct:
(Let's say there's an input field named password and compares it with the $password value retrieved from the database):
if (crypt($_POST['password'], '$2a$07$usesomesillystringforsalt$') === crypt($password, '$2a$07$usesomesillystringforsalt$')) {
// Password submitted is correct
}
Upvotes: 1
Views: 2445
Answers (1)
Reputation: 104050
Typically salts are stored in the database per-user, so if an attacker gets access to your entire password database, the attacker must brute-force each user individually.
Furthermore, it makes sense to use a per-site or per-application portion of the salt, to ensure that tables of common passwords and common salts (one or two characters would be easy, date would be tolerable, seconds since the epoch would be much larger, microseconds since the epoch would be difficult, 128 bits of randomness is impossible) can't be used against your application's database. If your per-user salts are large enough this is less useful -- so if your database has the space for storing larger per-user salts, go for it.
Upvotes: 1
Related Questions
- Crypt for password hashing. Blowfish produces weird output
- Encryption using crypt()
- Why does my PHP Blowfish encryption produce such weird results?
- Am I using PHP's crypt() function correctly?
- hashing password using crypt and blowfish
- Crypt Function Not Returning Correct Password
- Blowfish and Crypt Successful Example?
- CRYPT_BLOWFISH usage
- Blowfish Crypt confusion
- Using crypt, and verifying - not sure how it works?