How do you securely store a user's password and salt in MySQL?

Question

So, I found out on SO that you\'re supposed to hash the password together with a \"salt\". (The articles can be found here and here.)

Here\'s the code:

Answer 1

I know this is old, but for anyone that manages to stumble on this post...

What you are really trying to do HMAC. Trying to do that yourself creates issues. You can partially compute hashes, which reduces the amount of effort required to guess at a password, for instance. HMAC addresses those kinds of concerns.

Better still is scrypt or bcrypt. HMAC still often uses hash algorithms that are designed to be quick and easy to compute; there is even hardware implementations of many of the hash algorithms. bcrypt is computationally expensive and scrypt is memory intensive. Both make things harder for an attacker, but scrypt in particular makes it really hard to build hardware devices to crack a password.

I really like the chart over here: https://github.com/pbhogan/scrypt#why-you-should-use-scrypt

Answer 2

A salt is a random number of a fixed length. This salt must be different for each stored entry. It must be stored as clear text next to the hashed password.

From

https://www.owasp.org/index.php/Hashing_Java#Why_add_salt_.3F

Answer 3

There are good articles about storing passwords right. One of them for example: Storing Passwords - done right!

You should use different salt for every user, but there's no need to store the salts separately. See similar discussion in another thread

By the way, you probably shouldn't be using sha1 but e.g. sha256 or sha512 something stronger instead (at least to avoid bad publicity). There's a good answer regarding this: How insecure is a salted SHA1 compared to a salted SHA512

Answer 4

$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$time = time();
$query = "
INSERT INTO user (name, unixcreationtime, passhash) 
VALUES ('$username', '$time', SHA2(CONCAT('$time','$password'),512) ";

Don't use SHA1, it is no longer secure.
I suggest doing all hashing in MySQL, that way you can be sure there's no difference in the outcome of the hash.

Select a user using:

$query = "SELECT id FROM user 
          WHERE name = '$username' 
            AND passhash = SHA2(CONCAT(creationdate,'$password'),512) ";

Answer 5

its an old topic but others will come here too so i will try to describe it very easy:

if you do hash(password) you get the same hashvalue for every password [hash(password) = hash(password)]. if two users have the same password, you will see it because the hashvalues are the same. some passwords like "password" or "12345678" are taken very often so: same hashvalue in your database -> maybe password "password" or "12345678" (rainbowtable attack).

if you hash(salt+password) you dont get the same hash for the same passwords because hash(salt1+password) is not hash(salt2+password).

hash(x) is just a mathematical function like f(x)=y. if you put the same x you will get the same y. this function must be "special" to be safe. just dont use sha1 because it is not safe anymore :D

Answer 6

If a hacker gets access to your PHP files, he can simply add mail function, so whoever login, account details are emailed to hacker.

If hacker only gets access to database, he should not get passwords plainly written there, so crypt it before saving. Save it in md5 hash which can't be reversed.

I normally use salt based on username or userID, that PHP program know how to generate for each user along with static_site_key.