Processing salts affecting login

PHPnewbie25

New Member
Messages
17
Reaction score
0
Points
1
after developing a function register form i went to test the login where the passwords entered are not recognised even though they are right as i created them to test the register form. I read about having to store the salt within the db next to the password, I've been looking for examples on how to do this but i just find different methods of security anyone have an idea of how i could store the salt the code below is what i use to create the security.


PHP:
/hmac
   $hmac = hash_hmac('sha512', $password1, file_get_contents('textfiles/key.txt'));
   
   //bytes for salt
   $bytes = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);
   
   //salt
   $salt = strtr(base64_encode($bytes), '+', '.');
   
   //make bcrypt 22 characters
   $salt = substr($salt, 0, 22);
   
   //hashed password
   $bcrypt = crypt($hmac, '$2y$12$' . $salt);
   $token = md5($bcrypt);
 

essellar

Community Advocate
Community Support
Messages
3,295
Reaction score
227
Points
63
Use this: http://community.x10hosting.com/thr...bility-script-for-php-5-3-x-available.187807/

Once the PHP version has been upgraded to 5.5.x on your server, the compatibility script will not be needed, and because it's conditionally included, will not be loaded. The salt is stored as part of the password hash (it's encoded in the first few bytes), and the password_verify() function will use the stored salt (along with the algorithm and the work factor) to see if the submitted password yields the same hash.

NEVER "roll your own" when it comes to security. If, at any point, you think you are at least partially qualified to create a hash or encryption algo, put it out in public and have the world try to poke holes in it before you actually use it (or release it). PHP 5.5 has password hashing, checking and re-hashing built in; there's no need to do your own anymore. (And the compatibility script was written by the same guy who wrote the internal functions.) the only caveat is that BCRYPT has a 72-byte length limit, so you will probably want to SHA256 the password/passphrase before passing it in if the length is too long. (And never restrict the upper end of what the user can supply, except to prevent it from exceeding the POST limits. If the user wishes to use the second chapter of Harry Potter and the Deathly Hallows, translated into Dyirbal, as a passphrase, that should be no skin off your nose.)
 
Top