TalkPHP - View Single Post - Whats wrong with storing your salt in DB?

Wildhoney · 12-03-2007, 03:45 PM

In addition, I was quite fascinated with your idea on placing the salt anywhere in the password and so I've come up with 2 functions. 1 function is a PHP function to easily generate that, and the other is a MySQL function to be used in the SELECT statement when checking to see if it is a valid password.

As passwords can be variable lengths before they're hashed, I have set the 3rd argument to take a percent value and then it will work out the position based on the password's length. The function will return all the data you require to enter into your member table.

php Code:

function hash_with_salt($szPassword, $szSalt, $iPosition = 50)
{
    $iLen = strlen($szPassword);
    $iPos = ($iLen / 100) * $iPosition;
    
    $szPass = sha1(substr($szPassword, 0, $iPos) . $szSalt . substr($szPassword, $iPos));
    
    return (object) array('password' => $szPass, 'position' => $iPos, 'salt' => $szSalt);
}
    
$pPassword = hash_with_salt('myPassword', '6ef5a', 0);

You can then access the items it returns like so:

php Code:

echo $pPassword->password;

You need to enter all those into the member table. So you should have at least 3 columns in your table: password, position and salt. The MySQL query I came up with is this:

sql Code:

SELECT
    @password:=SHA1(INSERT('myPassword', position + 1, 0, salt))
FROM
    users
WHERE
    myUsername = 'Wildhoney'
AND
    myPassword = @password

I had to add 1 to the position column as it appears the INSERT works from a different base number when compared PHP's substr. They do say you learn something new everyday!

...And that's my implementation! Passwords just became a whole lot securer. Maybe. Or maybe it was a beautiful exercise in futility. Not too sure on that front! It sure does look beautiful though.

12-03-2007, 03:45 PM	#11 (permalink)
Wildhoney La Vida es Sueño Join Date: Sep 2007 Location: Oldham Posts: 2,280 Thanks: 90	In addition, I was quite fascinated with your idea on placing the salt anywhere in the password and so I've come up with 2 functions. 1 function is a PHP function to easily generate that, and the other is a MySQL function to be used in the `SELECT` statement when checking to see if it is a valid password. As passwords can be variable lengths before they're hashed, I have set the 3rd argument to take a percent value and then it will work out the position based on the password's length. The function will return all the data you require to enter into your member table. php Code: function hash_with_salt($szPassword, $szSalt, $iPosition = 50) { $iLen = strlen($szPassword); $iPos = ($iLen / 100) * $iPosition; $szPass = sha1(substr($szPassword, 0, $iPos) . $szSalt . substr($szPassword, $iPos)); return (object) array('password' => $szPass, 'position' => $iPos, 'salt' => $szSalt); } $pPassword = hash_with_salt('myPassword', '6ef5a', 0); You can then access the items it returns like so: php Code: echo $pPassword->password; You need to enter all those into the member table. So you should have at least 3 columns in your table: password, position and salt. The MySQL query I came up with is this: sql Code: SELECT @password:=SHA1(INSERT('myPassword', position + 1, 0, salt)) FROM users WHERE myUsername = 'Wildhoney' AND myPassword = @password I had to add 1 to the position column as it appears the `INSERT` works from a different base number when compared PHP's `substr`. They do say you learn something new everyday! ...And that's my implementation! Passwords just became a whole lot securer. Maybe. Or maybe it was a beautiful exercise in futility. Not too sure on that front! It sure does look beautiful though. __________________ The man who comes back through the Door in the Wall will never be quite the same as the man who went out.