I just recently began looking into password encryption. My current code looks like this :
<?php
define('salt','7hPqMO(m=F+!!L6(#Yhp-CdF, &Q}+cIrA;c@wcP(E--V<qRmq!v*aSnM;H=4cD0');
$password = "CatsRsoCool47";
$myHash = hash( 'whirlpool',salt.$password );
echo $myHash;
?>
How would I check if the user inputed the correct password? I assume there is some sort of built in function that takes the parameters of the salt,hash and the encryption method and returns a boolean.
Also, what is the safest way of generating a salt? The current salt I have is static and the same for every user. Should I do something like
$salt = Time()+'7hPqMO(m=F+!!L6(#Yhp-CdF, &Q}+cIrA;c@wcP(E--V<qRmq!v*aSnM;H';
If it was done like so, wouldn't I have to store the timestamp in the database per user. Isn't that a security flaw?
I am lost.... Please suggest the best way to hash and check passwords. A script would be nice to look at :) This question might also be a possible duplicate, if so I'm very sorry
Basically, when a password comes in, whatever you did to store the password, you use the same thing applied to the incoming password.
You can then check that the two salt+hash values are the same.
It's as simple as that - do the same thing to the two passwords and you should get the same result.
You're right to be worried about using the same salt every time. What you really want to do it to use a different salt each time. You can then store the salt alongside the password. It sounds counter-intuitive, but this is perfectly OK. Having the salt doesn't allow you to reverse the hash as the process isn't reversible anyway.
Then, when you want to check a password, you look up the user, get their salt, use it to apply the hash and then check what you end up with against their stored hash.
For example (using a constant salt), you might have something like:
?>
Hopefully it's easy to see how you might use this technique with a moving salt.
Note - this is not encryption - the whole point is that the method is one way. You generate something that cannot be used to retrieve the actual password. Encryption implies the process is reversible.
Attacks on hashed passwords are done by what's called a 'rainbow table'.
The attacker builds a table of possible password alongside their corresponding hashes using the same technique that you use. This table is then compared against your stored passwords. When there's a match the attacker can then infer the password that was stored for that row.
Having a single salt makes this easier as the technique is identical for every password. If you use a different salt per row then the technique has a random factor meaning the attacker needs a MUCH bigger rainbow table to attack you with - essentially a full sized table per row.