Jump to content

PHP crypt question


Recommended Posts

If you used the PHP Crypt function with blowfish and crypt tomtomtom and used tom as the salt you would end up with an output like this.




If you were to save this to the database to use in authentication wouldn't it show at the beginning what you used for creation and display the Salt? The $2x for blowfish and tom salt are right there. Wouldn’t this be a security problem? Wouldn’t knowing the salt help a potential brute force hack attempt if they got your database information?


I’m just curious why this is set up this way, I’m new to the whole cryptography thing. Thank you to anyone who can help clear this up for me. I hope everyone is having a good day.

Link to comment
Share on other sites

If you want to be secured as possible use sha512 :)

hash('sha512', <yourstring>);

This would generate your string to 512 character length of string. If you want security just make some brute-force protection to your website. For example if you try to login 5 times in row in 15 min with wrong account data temp-lock the IP so it cannot login even if it would be correct password.


5 Tries >> 15 min lock >> Unlock >> Repeat


Anyways i don't know answer to your question but tried to help in someway :)

Link to comment
Share on other sites

It's not a major problem if someone knows the salt. It would be a problem if you were using the same salt for every user. The goal of the salt is to make the hashes different if 2 people have the same password, if you use the same salts then the hashes will be the same if the passwords are the same. It's not really a security threat if someone knows the salts though, they still have to go through and brute force it to try a dictionary attack.




This would generate your string to 512 character length of string.

The output is 512 bits, not bytes. For better security, run the hash through a loop to hash it thousands of times. The crypt function with SHA-512 will do that automatically, the default is 5000 times. The goal is to make it take longer to calculate the hash, so that it takes longer to break it. it takes about a quarter of a second to calculate a password hash on my sites, which isn't long enough to make the user wait but is long enough to make it computationally expensive to try and break. It's easy for me to increase the time if I want to, I just have to change the number of iterations. Right now I have it using 7 hashing algorithms 10,000 times total.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...