Processing salts affecting login

Discussion in 'Scripts, 3rd Party Apps, and Programming' started by PHPnewbie25, May 14, 2014.

  1. PHPnewbie25

    PHPnewbie25 New Member

    Likes Received:
    Trophy Points:
    after developing a function register form i went to test the login where the passwords entered are not recognised even though they are right as i created them to test the register form. I read about having to store the salt within the db next to the password, I've been looking for examples on how to do this but i just find different methods of security anyone have an idea of how i could store the salt the code below is what i use to create the security.

    //bytes for salt
    $bytes mcrypt_create_iv(16MCRYPT_DEV_URANDOM);
    $salt strtr(base64_encode($bytes), '+''.');
    //make bcrypt 22 characters
    $salt substr($salt022);
    //hashed password
    $bcrypt crypt($hmac'$2y$12$' $salt);
    $token md5($bcrypt);
  2. essellar

    essellar Community Advocate Community Support

    Likes Received:
    Trophy Points:
    Use this:

    Once the PHP version has been upgraded to 5.5.x on your server, the compatibility script will not be needed, and because it's conditionally included, will not be loaded. The salt is stored as part of the password hash (it's encoded in the first few bytes), and the password_verify() function will use the stored salt (along with the algorithm and the work factor) to see if the submitted password yields the same hash.

    NEVER "roll your own" when it comes to security. If, at any point, you think you are at least partially qualified to create a hash or encryption algo, put it out in public and have the world try to poke holes in it before you actually use it (or release it). PHP 5.5 has password hashing, checking and re-hashing built in; there's no need to do your own anymore. (And the compatibility script was written by the same guy who wrote the internal functions.) the only caveat is that BCRYPT has a 72-byte length limit, so you will probably want to SHA256 the password/passphrase before passing it in if the length is too long. (And never restrict the upper end of what the user can supply, except to prevent it from exceeding the POST limits. If the user wishes to use the second chapter of Harry Potter and the Deathly Hallows, translated into Dyirbal, as a passphrase, that should be no skin off your nose.)

Share This Page