FRIHOSTFORUMSSEARCHFAQTOSBLOGSCOMPETITIONS
You are invited to Log in or Register a free Frihost Account!


PHP Hashing and Salting





jeremyyak
I'm having a little trouble understanding salting...

I am using the md5() function, to do somthing, for expample this:
Code:
$pass=$_REQUEST['password'];
$pass=md5($pass);


Now where does the salting come in?
Where do you get the salt from?
What does salting do? And what is the benefit?

Thanks in advanced,
~Jeremy~
hyhy
jeremyyak wrote:
I'm having a little trouble understanding salting...

I am using the md5() function, to do somthing, for expample this:
Code:
$pass=$_REQUEST['password'];
$pass=md5($pass);


Now where does the salting come in?
Where do you get the salt from?
What does salting do? And what is the benefit?

Thanks in advanced,
~Jeremy~


Dont know exactly what salting means, but i think i know what is on your mind.

It's better to store passwords coded in md5 for example, because if your not, then when your database got hacked or someone who know the passwords to your database can take out the passwords and use them in the name of evil empire. Using md5 noone can hack those passwords, even you, even if they will be known it's hard to guess them or decode them (nearly impossible). And when you want to match passwords just match them after md5 for example:

Code:
$guess=$_REQUEST['guess'];
if (md5($guess)==$pass_in_database)
  do what you want.


$pass_in_database is of course coded in md5. Hope that lighten you a little bit about this and hope i guessed what u meant.

edit: i do some searchings in google and found this:


Quote:
recommend saving passwords using salted md5 hashes. Salting in short: “When the user sets a password, a short string called the salt is suffixed to the password before encrypting it; the salt is stored along with the encrypted password so that it can be used during verification. Since the salt is different for each user, the attacker can no longer use a single encrypted version of each candidate password. If the salt is long enough, the attacker must repeat the encryption of every guess for each user, and this can only be done after obtaining the encrypted password record for that user.”

Here’s a little example using salted passwords:

To authenticate users on your website (login) your probably using a SQL statement like this one:
SELECT user_id, username FROM users WHERE passsword = MD5('thepassword');

This is insecure. If someone would know the md5 hash of the password, and the password is weak, it could be “reversed” using the MD5 database.

Use salted passwords to avoid this:
SELECT user_id, username FROM users WHERE passsword = MD5(user_id || 'some_secret_string' || 'thepassword');

Its also possible to store the salt along the password in the database.


It's even harder to decode or guess passwords using salting with md5.

edit again:

the questions
Quote:
Now where does the salting come in?
Where do you get the salt from?
What does salting do? And what is the benefit?


1. Salting come in with passwords. You must just think of salting word or some chars and add it as prefix to real password before md5.
2. You just pick it random, any will do, it's just like second password.
3. It makes password harder to guess.
jeremyyak
Went a little off topic there but you did anwser my question Very Happy

Thanks alot,
~Jeremy~
Related topics
http://tuvanonline.com/library/index.php
PHP-Nuke platium?
PHP Write to line
Anyone good with PHP-NUKE?
PHP safety?
req: PHP to list files in directory, and link to them
php admin and mysql admin console
Mysql And PHP HELP PLZ
Great php editor
Script php about gallery
File upload with PHP, Build an upload database for your site
[php scripts ] phpweather&email
Including With PHP
help me upgrade php to 5.
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.