1

Sorry for being new in php programming, in my old project I use MD5 to encrypt the password, however, it is not secure enough and I found some resource on the internet suggest using password salt instead.

The problem is , I am using codeigniter, is there any helper/ library for this purpose / how to change my old code to support the generation of the password salt?

Thanks for helping. I am using PHP 5.2

And here is the old code to validate, while the user account generate by storing the md5($password);

function validate_credentials() { $this->load->model('Secure_model'); $username = $this->input->post('username'); $password = md5($this->input->post('password')); $is_valid = $this->Secure_model->validate('customer', $username, $password); if ($is_valid) { $data = array( 'user_id' => $this->get_user_id($username), 'user_name' => $username, 'is_logged_in_user' => true ); $this->session->set_userdata($data); redirect('profile'); } else { $data['message_error'] = TRUE; $data['main_content'] = 'front/login'; $this->load->view('front/includes/template', $data); } }
Improve this question
10
  • I found that I need to store the salt in the database as well, is this one tutorial sunnyis.me/blog/secure-passwords apporiate for my requirement? Thanks a lot Commented Sep 8, 2014 at 9:09
  • 1
    Dont store the salt in the database! If someone manage to dump the DB, they will get the salt used. Its basically the same as not using any salt. Commented Sep 8, 2014 at 9:15
  • Thanks for your reply,from that tutorial it seems I don't even need to store the salt. just coding like the md5 But is the salt unquiet for each record in phppass? Commented Sep 8, 2014 at 10:36
  • 1
    @DannyThunder - With a unique salt per password, an attacker has to build a rainbow-table for each password, which doesn't make sense (brute-forcing is faster). So the purpose of the salt is to prevent the usage of one single rainbow-table to get all passwords at once. What you probably have in mind is called a pepper or a key. If you are interested you may have a look at my tutorial about safely storing passwords. Commented Sep 9, 2014 at 19:55
  • 1
    @martinstoeckli that part I do understand, its the storing of the salt in the db that i dont understand. Sure If it is a different db. Will check out your page! Thanks, Commented Sep 9, 2014 at 20:46

5 Answers 5

Reset to default
6

If you are really stuck with PHP 5.2 your best bet will propably be the phpass library, because there is no PHP support of the BCrypt algorithm.

PHP versions 5.3 and later will have native support of BCrypt, so you can use the PHP function password_hash() to hash a password. There is a compatibility pack for versions before 5.5.

// Hash a new password for storing in the database. // The function automatically generates a cryptographically safe salt. $hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT); // Check if the hash of the entered login password, matches the stored hash. // The salt and the cost factor will be extracted from $existingHashFromDb. $isPasswordCorrect = password_verify($password, $existingHashFromDb);

In every case you are doing right with discarding MD5 and switching to another algorithm. Make sure that you use an algorithm with a cost factor like BCrypt or PBKDF2, fast algorithms like SHA* are not appropriate to hash passwords. Salting is mandatory, though the salt can be stored in the database, it fulfills its purpose even if it is known.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

look this part of my code I use to register an user:

public function addUser($data){ $sql = "INSERT INTO `user` salt=" . $this->db->escape($salt = substr(md5(uniqid(rand(), true)), 0, 9)) .", password=".$this->db->escape(sha1($salt . sha1($salt . sha1($data['password']))))."......."; $this_>db->query($sql);

The information of salt and password are stored in your user table. To retrieve the information and validate the password you do this: 

$query = $this->CI->db->query("SELECT * FROM `user` WHERE email =".$this->CI->db->escape($email)." AND password = SHA1(CONCAT(salt, SHA1(CONCAT(salt, SHA1(" . $this->CI->db->escape($password) . ")))))");
Improve this answer

Comments

1

Here are some simple solutions.

  • You can use sha* hash functions , be careful in using md5 since it has a higher rate of collisions than sha,

  • and also about your problem with salt, it is ok if you dont salt your password, just make sure your users use a very good password with a combination of lower and upper cases and with numbers and make them lengthy.

I would like to advise you to use bcrypt but since you are using 5.2 it has a bug on that version and certain password libs like PHPPASS and PHPLIB Cater Only to 5.3 and above. Best option is to upgrade to 5.3 so that you can use the php libs, but take care full caution the scripts.

Improve this answer

Comments

1

As far as I know codeigniter does not have a built-in function for this...

To make a hash with PHP you need

  • the password
  • a true random salt
  • a slow hashing algorithm

By PHP your can create a true random salt by using mcrypt_create_iv().

To make the hash, you can use the crypt() or password_hash, which supports slow algorithms, like CRYPT_BLOWFISH. Forget md5, or sha1, they are too fast, so with the proper tool it is possible to find out passwords hashed by them.

$salt = mcrypt_create_iv(22, MCRYPT_DEV_URANDOM); $hash = password_hash($password, PASSWORD_BCRYPT, array('cost' => 11, 'salt' => $salt));

The password_hash() function can generate a true random salt automatically, so you don't have to generate it manually if you don't want. The salt will be appended to the hash.

Sadly PHP 5.2 does not have CRYPT_BLOWFISH support. So you have to use the PHPASS lib.

Improve this answer

4 Comments

If you can use the password_hash() function, it is better not to generate a salt on your own, this is done safely by the function itself.
Is it possible to store that salt? What if I want to migrate to another server, are the salts lost? Do they depend on the environment?
The resulting hash-value will have the salt included in plaintext, this is the usual way to store the salt. The function password_verify() will extract the salt from this hash. I tried to explain this format in another answer.
Thanks! I did not know, I always stored the salt in a separate column.
0

You should set a $config['salt] = '$%#~De@';// in your config file

//Inside your model or controller where you are getting your post values $password = sha1($this->config->item('salt').$this->input->post->('password')));

This should give you has password

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.