开发者

php salt my passwords per user sha512 - am I doing this right?

I'm trying to correctly do a per user and site wide salt for my passwords. Here's what I've got:

require('../../salt.php'); //this is above the web root and provides $salt variable
$pw = mysql_real_escape_string($开发者_开发百科_POST['pw']);
$per_user_salt = uniqid(mt_rand());
$site_salt = $salt //from salt.php that was required on first line
$combine = $pw . $per_user_salt . $site_salt;
$pw_to_put_in_db = hash("sha512", $combine);

Is this right? Thanks


often people use a unique salt concatenated with the password, then use hmac method to add the sitewide hashing key:

http://www.php.net/manual/en/function.hash-hmac.php

$password = hash_hmac('sha512', $password . $salt, $sitewide_key);


This is fine just removed "" from "sha512" :)

$pw = $_POST['pw'];
$per_user_salt = uniqid(mt_rand());
$site_salt = $salt //from salt.php that was required on first line
$combine = $pw . $per_user_salt . $site_salt;
$pw_to_put_in_db = hash(sha512, $combine);

dont have to use md5 sha512 is secure enough it self


Use crypt, it's available in all languages and your password hashes will be useable by other programs as well:

$hash = crypt("secret", "$6$randomsalt$");


Based on comments here is what I'm going to do: Change my $combine to something that is unique per user but not stored in db. So something like: $combine = $pw . md5($pw) . 'PoniesAreMagical' . $site_salt . md5($pw);, etc etc etc... Thanks for the help...

So - for those of you trying to figure out how to do this for the first time (like me)... its all about the algorithm... make something obscure, unique, difficult to figure out; because if someone wants to get into your system, they are going to have to figure this out. Thanks to all for awesome comments.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜