Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Where is the best place to store the password salt for the website?

Tags:

security

php

passwords

storage

salt

I have two salts, each user has a unique salt that is stored with the user info in the database. The second salt is one that is specific to the website. Both are needed to hash the passwords.

Problem is I don't know where I should keep my website salt. Right now it resides in the PHP method that runs the hashing algorithm. Should I keep it in a file outside the /var/www/ and have PHP open and read the file? I don't want to store it in the database because that would defeat the purpose of having two salts should my database be compromised.

Any suggestions?

like image 896
Stephen Gilboy Avatar asked Feb 17 '11 17:02

Stephen Gilboy

People also ask

Where should password salts be stored?

The easiest way is to put the salt in front of the password and hash the combined text string. The salt is not an encryption key, so it can be stored in the password database along with the username – it serves merely to prevent two users with the same password getting the same hash.

How passwords should be stored?

Hash all passwords Never store passwords in plain text. Always create a hash from them and store the hash instead. In password storage, hashing is superior to encryption since a hash can't be reversed.

What is password storing and salts?

Password salting is a technique to protect passwords stored in databases by adding a string of 32 or more characters and then hashing them. Salting prevents hackers who breach an enterprise environment from reverse-engineering passwords and stealing them from the database.

Where are salt values stored?

The salt can and should be stored right next to the salted and hashed password. Additionally, the salt should be unique per password. Its purpose is to make it unfeasible to attack a leaked password database by using precomputed tables of password-hash-pairs.

1 Answers

One option not mentioned yet? An environmental variable served by the server. You can do it in httpd.conf, or in a .htaccess. Since Apache doesn't serve .htaccess files, you don't need to worry about hiding it as much...

SetEnv WEBSITE_SALT 232lhsdfjaweufha32i4fv4239tauvkjn

That way, all you need to do in your application is $salt = getenv('WEBSITE_SALT');. The benefit here is that it's transparent to the application...

like image 136
ircmaxell Avatar answered Oct 09 '22 14:10

ircmaxell
Sign in to Comment

Related questions

Symfony : error while accessing an array
PHP Speed Test for user connection speed without echo in current page
Storing html code in the sql database problem
Get number of arguments for a class function
How to create a thumbnail of .BMP file?
Quick question: How to set a cookie that will expire after 90days in PHP?
Regular Expression to Match HTML <p> tag using PHP
Returning only 0-9 and dashes from string
can't insert russian text into mysql database
Unit testing cookies in PHP
TSP (Traveling Salesman Problem) solver Using GoogleMap
Converting html to pdf in php?
How to create a Wordpress shortcode-style function in PHP
How can I execute remote commands in PHP via ssh?
Is there an alternative to die?
How to not mix presentation with logic?
PHP & MySql check if table is empty
PHP: whitespaces that do matter [closed]
Yii CDbCriteria Join
Break up long string with PHP for outgoing SMS

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!