PHP crypt question

[FARGORE]

If you used the PHP Crypt function with blowfish and crypt tomtomtom and used tom as the salt you would end up with an output like this.

 

$2x$07$tom$$$$$$$$$$$$$$$$$$.qav3KhZehVp8voo3h2F5ENKt3315qJW

 

If you were to save this to the database to use in authentication wouldn't it show at the beginning what you used for creation and display the Salt? The $2x for blowfish and tom salt are right there. Wouldn’t this be a security problem? Wouldn’t knowing the salt help a potential brute force hack attempt if they got your database information?

 

I’m just curious why this is set up this way, I’m new to the whole cryptography thing. Thank you to anyone who can help clear this up for me. I hope everyone is having a good day.

[Mudsaf]

If you want to be secured as possible use sha512

hash('sha512', <yourstring>);

This would generate your string to 512 character length of string. If you want security just make some brute-force protection to your website. For example if you try to login 5 times in row in 15 min with wrong account data temp-lock the IP so it cannot login even if it would be correct password.

 

5 Tries >> 15 min lock >> Unlock >> Repeat

 

Anyways i don't know answer to your question but tried to help in someway

[justsomeguy]

It's not a major problem if someone knows the salt. It would be a problem if you were using the same salt for every user. The goal of the salt is to make the hashes different if 2 people have the same password, if you use the same salts then the hashes will be the same if the passwords are the same. It's not really a security threat if someone knows the salts though, they still have to go through and brute force it to try a dictionary attack.

 

 

 

This would generate your string to 512 character length of string.

The output is 512 bits, not bytes. For better security, run the hash through a loop to hash it thousands of times. The crypt function with SHA-512 will do that automatically, the default is 5000 times. The goal is to make it take longer to calculate the hash, so that it takes longer to break it. it takes about a quarter of a second to calculate a password hash on my sites, which isn't long enough to make the user wait but is long enough to make it computationally expensive to try and break. It's easy for me to increase the time if I want to, I just have to change the number of iterations. Right now I have it using 7 hashing algorithms 10,000 times total.