funbinod Posted August 27, 2014 Share Posted August 27, 2014 can anyone please suggest me how can I use salted password? I just learnt how to use hashed password. after learning I came to know that they can be easily hacked using rainbow table or other methods and got suggestion online to use salted password with hash. but I got difficulties to learn the use of salt. please guide me how can I use salt while registering, logging in and changing the password...... thanks in advance.... Link to comment Share on other sites More sharing options...
JamesB Posted August 27, 2014 Share Posted August 27, 2014 $salt = 'example'; // this must never change $passwordUnencrypted = 'password';$passwordEncrypted = hash('sha512', $passwordUnencrypted . $salt); // adding row to table (registering)$sql = "INSERT INTO users (password) VALUES ('" . $passwordEncrypted ."')"; // checking password in table (logging in)$sql = "SELECT COUNT(*) FROM users WHERE password = '" . ($passwordEncrypted) ."' LIMIT 1"; // obviously check for username too // updating password in table (changing password)$sql = "UPDATE users SET password = '" . $encryptedPassword . "' WHERE user_id = " . $user_id; Link to comment Share on other sites More sharing options...
thescientist Posted August 27, 2014 Share Posted August 27, 2014 if you are running on PHP >= 5.5, you could use these APIs http://www.sitepoint.com/hashing-passwords-php-5-5-password-hashing-api/ Link to comment Share on other sites More sharing options...
funbinod Posted August 28, 2014 Author Share Posted August 28, 2014 to the @JamesB's suggestion--- what I wonder is, if the stored hash is hacked and found the exact password, lets say " password ", then cannot a hacker use that to login since the process is - $salt = 'example'; // this must never change $passwordUnencrypted = 'password';$passwordEncrypted = hash('sha512', $passwordUnencrypted . $salt); // checking password in table (logging in)$sql = "SELECT COUNT(*) FROM users WHERE password = '" . ($passwordEncrypted) ."' LIMIT 1"; // obviously check for username too and when he tries logging in, he will enter the ' password ' won't it is added to the fix salt value which is always there in the script or database and he doesn't need to provide, as u described !? isn't it the same as entering the password only without any salt??? please help me understand this more clearly.... Link to comment Share on other sites More sharing options...
JamesB Posted August 28, 2014 Share Posted August 28, 2014 When not using a salt: If the hacker gains access to your database and sees the encrypted password, they can use public encryption look up tables to find one or many possibilities of what the password is. When using a salt: If the hacker gains access to your database and sees the encrypted password, they cannot use public encryption look up tables to find the password. If the hacker gains access to your database and also access to your PHP file containing the salt, they still cannot use public encryption look up tables to find the password, however they can attempt to reverse it themself which will probably take a very long time to find as they would need to brute force millions probably well above trillions of combinations of text concatenated to the salt to find the matching encrypted string. Link to comment Share on other sites More sharing options...
justsomeguy Posted August 28, 2014 Share Posted August 28, 2014 Your salt should be unique for every user, you should not use a hard-coded salt for every user. Store the salt in the database along with the user's record also. The salt can be something like a hash of the current time plus the user IP address, for example, but it needs to be unique for every user and you should store it with the rest of the user data. One of the points of using a salt is so that if 100 users all have the same password, their hashes are all different. 1 Link to comment Share on other sites More sharing options...
JamesB Posted August 28, 2014 Share Posted August 28, 2014 Your salt should be unique for every user, you should not use a hard-coded salt for every user. Very interesting, thanks for the info. Link to comment Share on other sites More sharing options...
Don Jajo Posted August 28, 2014 Share Posted August 28, 2014 (edited) Using PHP >= 4 use this - http://php.net/manual/en/function.crypt.php Edited August 28, 2014 by Don Jajo Link to comment Share on other sites More sharing options...
funbinod Posted August 29, 2014 Author Share Posted August 29, 2014 if 100 users all have the same password, their hashes are all different. sorry! i'm just learning about salt. confusion arouse is "if all have same password and the salt for all is the same, how could their hash be different?" please help me understand how salt work.... Link to comment Share on other sites More sharing options...
justsomeguy Posted August 29, 2014 Share Posted August 29, 2014 confusion arouse is "if all have same password and the salt for all is the same, how could their hash be different?"It won't be different, it will be the same. That's why each salt for each user needs to be different. Link to comment Share on other sites More sharing options...
funbinod Posted August 29, 2014 Author Share Posted August 29, 2014 thank u! another question! where is the salt stored? if stored in database and if it is hacked, cannot the hacker even get the salt??? if stored in a file or script, isn't it possible they can hack everything when they can hack database??? Link to comment Share on other sites More sharing options...
justsomeguy Posted August 29, 2014 Share Posted August 29, 2014 Store it in the database. if stored in database and if it is hacked, cannot the hacker even get the salt???Yeah. So what? The salt doesn't need to be secret, it needs to be unique for every user. Link to comment Share on other sites More sharing options...
funbinod Posted August 29, 2014 Author Share Posted August 29, 2014 hummmmmm!!! it means, he will find the hashed password, and the salt but could not execute the password coz it is combined in the hashed password in the database! did I understand correct!? if so please guide how the salt is uniquely generated for each user!? Link to comment Share on other sites More sharing options...
justsomeguy Posted August 29, 2014 Share Posted August 29, 2014 Using a unique salt means that rainbow table attacks will not work, because the rainbow table does not use the salt. If he has the salt and your hashing algorithm then he can generate a rainbow table for just that one user, but that is going to be a computationally expensive process. Ideally your hashing algorithm should require around .25 seconds or more to generate the hash. That would mean that generating 10 million hashes to fill a rainbow table for a single user would require 28 days. To do that for 100 users would require over 7 years. The point is to increase the time required to run attacks on your system, to make it not worth it. Ideally it does not matter if an attacker has both your database and your code because it's going to take too long to do anything anyway. if so please guide how the salt is uniquely generated for each user!?It doesn't really matter, one way is to generate a random number and then hash it. I'm sure you can come up with other ways. You might also find this useful:http://jeremykendall.net/2014/01/04/php-password-hashing-a-dead-simple-implementation/ 1 Link to comment Share on other sites More sharing options...
funbinod Posted August 29, 2014 Author Share Posted August 29, 2014 thank u for all the guidance. one last question! how about hashing username???? Link to comment Share on other sites More sharing options...
justsomeguy Posted September 2, 2014 Share Posted September 2, 2014 Why would you hash a username? Link to comment Share on other sites More sharing options...
funbinod Posted September 2, 2014 Author Share Posted September 2, 2014 there is no proper logic. i just thought this if we could hide all the usernames also from hackers, if they hacked the database... then they will need more time to extract the username and password.... Link to comment Share on other sites More sharing options...
justsomeguy Posted September 2, 2014 Share Posted September 2, 2014 I don't see any reason to try and hide a username. The process to look up a user in the database given an unhashed username would be prohibitively expensive if you used a salt. Link to comment Share on other sites More sharing options...
funbinod Posted September 2, 2014 Author Share Posted September 2, 2014 i didn't understand what u said. but its ok will not think of hashing a username for now........ Link to comment Share on other sites More sharing options...
justsomeguy Posted September 2, 2014 Share Posted September 2, 2014 The process to look up a user in the database given an unhashed username would be prohibitively expensive if you used a salt.Just think about how that would work. You save all of your usernames in the database as hashes, and you salt the hash with the same salt you use for the password hash. Think about the process to look for a user's record when they try to log in with their username and password. You need to get all records from the database and loop through them. For each record, you need to get the salt, hash the username with the salt, and check that against the hash saved in the database. If it takes .25 seconds to calculate a hash with your algorithm, and the user you're looking for is #500 in the database, then it's going to take over 2 minutes of hashing to find their database record. You can't just use a single SQL query to find the record for that username if the username is salted and hashed, you need to loop through and test each one. That assumes you're using a hash/salt algorithm that the database does not natively support, but even if you were using something that the database supports it would still have to calculate all of those hashes just to find a single record. 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now