Am I going the right way to make login system secure with this simple password salting?

Posted by LoVeSmItH on Stack Overflow See other posts from Stack Overflow or by LoVeSmItH
Published on 2012-11-04T10:49:45Z Indexed on 2012/11/04 10:59 UTC
Read the original article Hit count: 242

Filed under:
|

I have two fields in login table

  • password
  • salt

And I have this little function to generate salt

function random_salt($h_algo="sha512"){
        $salt1=uniqid(rand(),TRUE);
        $salt2=date("YmdHis").microtime(true);
        if(function_exists('dechex')){
            $salt2=dechex($salt2);
        }
        $salt3=$_SERVER['REMOTE_ADDR'];
        $salt=$salt1.$salt2.$salt3; 

        if(function_exists('hash')){
            $hash=(in_array($h_algo,hash_algos()))?$h_algo:"sha512";
            $randomsalt=hash($hash,md5($salt)); //returns 128 character long hash if sha512 algorithm is used.
        }else{
            $randomsalt=sha1(md5($salt)); //returns 40 characters long hash
        }

        return $randomsalt;
    }

Now to create user password I have following

$userinput=$_POST["password"] //don't bother about escaping, i have done it in my real project.
$static_salt="THIS-3434-95456-IS-RANDOM-27883478274-SALT"; //some static hard to predict secret salt.
$salt=random_salt(); //generates 128 character long hash.
$password =sha1($salt.$userinput.$static_salt);

$salt is saved in salt field of database and $password is saved in password field.

My problem, In function random_salt(), I m having this FEELING that I'm just making things complicated while this may not generate secure salt as it should. Can someone throw me a light whether I m going in a right direction?

P.S. I do have an idea about crypt functions and like such. Just want to know is my code okay?

Thanks.

© Stack Overflow or respective owner

Related posts about php

Related posts about salt