PHP - Salting Passwords, How To Store The Salt In The Db?

I honestly don't think salt is necessary with my system. I currently use:


$password = md5(sha1(md5(sha1($_POST['password']))));


Is this good enough when it comes to storing a password, encrypted?

which would be secured to use friends? or could we use both together?

show some usage example please

Ok this is my script so far:
Code: [Select]
class User {

function generateHash($password, &$saluti=null) {
define('SALT_LENGTH', 15);

$key = '!@#$%^&*()_+=-{}][;";/?<>.,';
if ($saluti=="")
{
$saluti = substr(hash('sha512', uniqid(rand(), true).$key.microtime()), 0, SALT_LENGTH);
}
else
{
$saluti = substr($saluti, 0, SALT_LENGTH);
}

return hash('sha512', $saluti . $key . $password);
}

function validate_user($username,$password) {
$mysql = new Database();
$hashedPassword = generateHash($password,'');
$ensure_credentials = $mysql->verify_username_and_password($username,$hashedPassword);

if($ensure_credentials) {
$_SESSION['auth'] == "yes";
header("Location: index.php");
}
else
return "That was not the correct username or password.";
}

}

It gives me this error:
Quote

[05-Feb-2012 17:14:59] PHP Fatal error:  Call to undefined function  generatehash() in /home1/elvonica/public_html/scripts/classes/user.php on line 24


Can anyone help me solve this?

Hey,

I know this questions get asked a lot but here is a different version of it.

What is a simple and secure method for storing data/passwords? I know there is a lot of debate in this subject but I run a browser game off my server and just want the data to be encrypted.

is this good enough or is this easy to crack?

Code: [Select]

<?php
 $password = 'abcdefg';
 $salt = 'whateversecrethash';
 $pw_hash = md5($salt.$password);
?>


or I just found this tutorial is this up to date and actually a good method?
http://webhole.net/2010/10/30/php-password-encryption-with-salt/

This is my code it's not working.

$username = $_POST['username'];


        $password = $_POST['password'];
        $encrypt_password = md5($password);

        $email = $_POST['email'];


        $usrsql = "SELECT * FROM $tbl_name WHERE username='$username' AND password='$encrypt_password'";

//--> Below is the INSERT Code

$query = "INSERT INTO `x_users` (username, password, email) VALUES ('$username', '$encrypt_password', '$email')";

        $result = mysql_query($query);

        if($result == 1) {

            print("Thank you, your accout has been created!");
        }

Can anyone tell me why the md5() function is not working?
Edited by Tom8001, 28 November 2014 - 07:49 PM.

Hi guys,

Iv been reading into password salting and im struggling to understand its purpose.

From what iv read you can basic salt a password by doing the following:


$salt = "randomtext";
$password = "apple";
$password = md5($password.$salt);


I was wondering though, if a hacker is able to crack the md5, wont they see the password and the salt? Example: a hacker cracks the md5 to reveal applerandomtext.

From applerandomtext it wont be hard for them to work out that the password is apple. So doesn't that make the idea of salting pointless?

I'm still trying to figure out why I should use salt.

If the bad guy knows a name and tries something like brute force shoving passwords into the log-in form until one worked how would salt help stop that?

If a bad guy, God forbid, gets hold of the user names and passwords like they did phpbb(?) forums several years ago how would salt stop that?

I know I may be beating this issue to death but if I have salt in the users table assigned to a user and his password now equals $stored_password = sha1($salt.$password) does this really doesn't matter? Because if the bad guy knows the user name and uses brute force or has a list of passwords from the users table that he has gotten some way. All he has to do is type in the user name and password and salt will be added automatically.

Salting passwords...

How can you update the salting without getting all the users to change their password?

Is the salting set in stone once created?

I'll start by apologizing for the stupid decision that led to this question.  A few years ago, I created a PHP/Myysql site with a login system and I created a field in the MySQL called "password" and it stored literally the exact password people entered (I know, I know).   The site has proven to have nice traffic potential, so I am going to re-vamp everything, including storing passwords properly (i.e. hashed).   My first question... Is there a way to convert regular text passwords to hashed passwords?  For example, I could create a new field in the "User" table for "hashedpassword" and write a script that takes all the insecure passwords and turns them into hashed passwords.  Then deleted the previous "bad" password field from the database.  This would allow me to do it without the customer every knowing anything changed.    Quick googling appears to support that it IS doable rather easily, with something like...

UPDATE mytable
SET password = MD5(password)

If not, I guess I would have to create a thing where the first time omeone logged in after I put hashing in place, the site would force them to change their password. I'd rather not annoy the visitors if it all possible.   Second question, what is the proper/recommended hashing method to use?   Some people seem to poo-poo MD5.  If you agree, should I use:   MD5 SHA MD5 with a salt SHA with a salt Something else i never heard of   NOTE:  My site is a fantasy sports site, so the data involved is not overly important.  Maybe a salt is overkill?  Or is being overly safe never a bad thing?   Lastly, don't need to address this, but if anyone can explain it like I'm 5 that would be great because i must be missing something... if you can easily turn a regular password into a hashed password, couldn't hackers easily do the reverse, which would render the hashing almost useless?  I get that salting helps, but before salting (i.e. doing ONLY MD5), I don't see how hashing helped that much (if you could reverese figure out the password).  What am I missing?   Thanks! Greg
Edited by galvin, 13 November 2014 - 09:44 AM.

When a User changes his/her Email Address, should I generate a new Salt and Hash?

(I am re-using the code I used for a Password Reset, and during that I generated a new Salt and Hash for security.  I guess it can't hurt...)

Thanks,


Debbie

I was wondering how most people use salt or what is the order of the steps to use salt?

Does the script take the new password then encrypt it then add salt and in encrypt it again, are they just added together and then encrypted or is it a combination of something like that?

And I guess the de-encrypting would be the reverse.

Not looking for code just the big picture.

Thanks
S

I am currently testing a small hash idea, for say database encryption for passwords.

Basically what I want to know is if this is a good or not the best method for encryption...

Code: [Select]
<?php

    $us_password = 'drowssap'; // User-Submitted Password; 
    $salt = '))!&8d*34d763!(('; //The salt
    $dbs_password = '3750221c513902ff76f4ec7ffed5fa4385d2599d'; // Sha1 hash for "drowssap"+Salt;

        if($us_password == sha1($us_password.$salt)){
            //Some other code for success here
        } else {
           //Failure code here
        }
    
?>

So basically, this is an abstract example of what I'm doing... Is it any good, or what could be improved? I've also used DB-Stored salts unique to each user, so even if someone used rainbow tables ( even after failure on my part for letting them get the hash... ), and multiple users had the same password, they would only crack one, rather than all of them, since the hashes would be different due to the different salts.

Just a quick question.

I have heard a few people say that they store a specific (maybe random) salt string in the same row as the user that is generated when the user account is created or password is changed. But I thought one of the reasons people use hashing is so if someone managed to get hold of the database they couldn't decipher the password (like a simple md5'd string). But putting the salt string next to the username surely gives the attacker a major push in the right direction?

I am not claiming to know anything, I'm just asking because I'm trying to find the best practice (Or at least a good tried and tested one). I like the idea of having a salt in a php config file, because that would mean an attacker would actually have to get your files, and if they had got that far then your pretty much screwed anyway.

Hey All,

I'm tryin to make a log-in system for multiple usernames and passwords, but I don't really know how many if statements i'd need for it.. I'm also a noob..


Code: [Select]
<?php

session_start();
$users = array("user1" =>"3202", "user2" =>"2002", "user3" =>"1061", "user4"=>"1400", "user5"=>"1001");

if($_REQUEST['username'] == "infs" && $_REQUEST['password'] == "3202"){

$_SESSION['username'] = "user1" ;
$_SESSION['password'] = "3202" ;

$_SESSION['username'] = "user2" ;
$_SESSION['password'] = "2002" ;

$_SESSION['username'] = "user5" ;
$_SESSION['password'] = "1001" ;

$_SESSION['username'] = "user3" ;
$_SESSION['password'] = "1061" ;

$_SESSION['username'] = "user4" ;
$_SESSION['password'] = "1400" ;
header("Location: home.php ");
}else{


 After checking if the matching username and password exist in my array then save them in a session...


What's the best way of doing it?

Hi Guys,

I wonder If I can call on this forums help once again.

I am trying to add salt to my md5 password hash. However I think I am getting the syntax slightly wrong as it is not working properly.

It works in the fact that when someone logs in and they have a 1 next to the member type it will direct them to the teachers page . However if no values are entered into the log in form and someone clicks log in it will still direct them to the students page when I thought it would direct them to log in failed.

The code for the log in form is:
Code: [Select]
//Sanitize the POST values
$login = clean($_POST['login']);
$password = clean($_POST['password']);
$salt = "salt";
$EncryptedPassword=md5($password, $salt);



//Create query
$qry="SELECT * FROM users WHERE username='$login' AND password='$EncryptedPassword'";
$result=mysql_query($qry);

//Check whether the query was successful or not
if($result) {
if(mysql_num_rows($result) == 1) {
//Login Successful
session_regenerate_id();
$member = mysql_fetch_assoc($result);
$_SESSION['SESS_MEMBER_ID'] = $member['id'];
$_SESSION['SESS_FIRST_NAME'] = $member['FirstName'];
$_SESSION['SESS_LAST_NAME'] = $member['LastName'];
$_SESSION['SESS_LAST_NAME'] = $member['Member_Type'];
session_write_close();
}
//if the member has an id equal to 0 send them to the member page
if($member['Member_Type'] == 0){
header("Location: Student-Page.php");
//if the member has an id equal to 1 send them to the admin page
} elseif($member['Member_Type'] == 1){
header("Location: Teachers-Page.php");
}
// regardless of the outcome, we need to exit, so it can be done once after both checks
exit();
} else {
//Login failed
header("location: login-failed.php");
exit();
}




In case you need it the code for the registration form where the password is originally salted upon creation is:

Code: [Select]
<?php
//Start session
session_start();

//Include database connection details
require_once('config.php');

//Connect to mysql server
$link = mysql_connect(DB_HOST, DB_USER ,DB_PASSWORD);


if(!$link) {
die('Failed to connect to server: ' . mysql_error());
}

//Select database
$db = mysql_select_db(DB_DATABASE);
if(!$db) {
die("Unable to select database");
}

//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
$str = @trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}

//Sanitize the POST values
$username = clean($_POST['username']);
$FirstName = clean($_POST['FirstName']);
$LastName = clean($_POST['LastName']);
$Member_Type = clean($_POST['Member_Type']);
$password = clean($_POST['password']);
$Cpassword = clean($_POST['Cpassword']);
$salt = "salt";
$EncryptedPassword = md5($password,$salt);

//Check for duplicate login ID
if($username != '') {
$qry = "SELECT * FROM users WHERE username='$username'";
$result = mysql_query($qry);
if($result) {
if(mysql_num_rows($result) > 0) {

}
@mysql_free_result($result);
}
else {
//die("query failed");
}
}


//Create INSERT query
$qry = "INSERT INTO users(username, password, FirstName, LastName, Member_Type) 
VALUES('$username','$EncryptedPassword','$FirstName','$LastName','$Member_Type')";
$result = @mysql_query($qry);

//Check whether the query was successful or not
if($result) {
header("location: register-success.php");
exit();
}else {
die("Query Failed");
}
?>

If someone could take a look and point me in the right direction. Also if there are any other mistakes let me know I would be very grateful.

Thanks in advance.

Edd