I have two salts, each user has a unique salt that is stored with the user info in the database. The second salt is one that is specific to the website. Both are needed to hash the passwords.
Problem is I don't know where I should keep my website salt. Right now it resides in the PHP method that runs the hashing algorithm. Should I keep it in a file outside the /var/www/ and have PHP open and read the file? I don't want to store it in the database because that would defeat the purpose of having two salts should my database be compromised.
Any suggestions?
The easiest way is to put the salt in front of the password and hash the combined text string. The salt is not an encryption key, so it can be stored in the password database along with the username – it serves merely to prevent two users with the same password getting the same hash.
Hash all passwords Never store passwords in plain text. Always create a hash from them and store the hash instead. In password storage, hashing is superior to encryption since a hash can't be reversed.
Password salting is a technique to protect passwords stored in databases by adding a string of 32 or more characters and then hashing them. Salting prevents hackers who breach an enterprise environment from reverse-engineering passwords and stealing them from the database.
The salt can and should be stored right next to the salted and hashed password. Additionally, the salt should be unique per password. Its purpose is to make it unfeasible to attack a leaked password database by using precomputed tables of password-hash-pairs.
One option not mentioned yet? An environmental variable served by the server. You can do it in httpd.conf, or in a .htaccess. Since Apache doesn't serve .htaccess files, you don't need to worry about hiding it as much...
SetEnv WEBSITE_SALT 232lhsdfjaweufha32i4fv4239tauvkjn
That way, all you need to do in your application is $salt = getenv('WEBSITE_SALT');
. The benefit here is that it's transparent to the application...
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With