Am I going the right way to make login system secure with this simple password salting?
Posted
by
LoVeSmItH
on Stack Overflow
See other posts from Stack Overflow
or by LoVeSmItH
Published on 2012-11-04T10:49:45Z
Indexed on
2012/11/04
10:59 UTC
Read the original article
Hit count: 237
I have two fields in login table
- password
- salt
And I have this little function to generate salt
function random_salt($h_algo="sha512"){
$salt1=uniqid(rand(),TRUE);
$salt2=date("YmdHis").microtime(true);
if(function_exists('dechex')){
$salt2=dechex($salt2);
}
$salt3=$_SERVER['REMOTE_ADDR'];
$salt=$salt1.$salt2.$salt3;
if(function_exists('hash')){
$hash=(in_array($h_algo,hash_algos()))?$h_algo:"sha512";
$randomsalt=hash($hash,md5($salt)); //returns 128 character long hash if sha512 algorithm is used.
}else{
$randomsalt=sha1(md5($salt)); //returns 40 characters long hash
}
return $randomsalt;
}
Now to create user password I have following
$userinput=$_POST["password"] //don't bother about escaping, i have done it in my real project.
$static_salt="THIS-3434-95456-IS-RANDOM-27883478274-SALT"; //some static hard to predict secret salt.
$salt=random_salt(); //generates 128 character long hash.
$password =sha1($salt.$userinput.$static_salt);
$salt is saved in salt field of database and $password is saved in password field.
My problem, In function random_salt(), I m having this FEELING that I'm just making things complicated while this may not generate secure salt as it should. Can someone throw me a light whether I m going in a right direction?
P.S. I do have an idea about crypt functions and like such. Just want to know is my code okay?
Thanks.
© Stack Overflow or respective owner
