$dbRes = mysql_query("SELECT password_hash FROM `users` WHERE username = '$user_input_username' LIMIT 1") Mysql_query("INSERT INTO `users` (username,p assword_hash) VALUES '$valid_username', '$trimmed_password_hash'") $trimmed_password_hash = substring($password_hash, CRYPT_SALT_LENGTH) use the number defined in constant CRYPT_SALT_LENGTH
Note, irrespective of number of chars provided, algorithm will always Drop the salt from beginning of the hash result. If (strlen($password_hash) < 13 || $password_hash = $salt) Anything less than 13 chars is a failure (see manual) combine username + password to give algorithm more chars to work with $salt = '$2a$07$somevalidbutrandomchars$' store this in another file outside web directory and include it Would need modification for other algorithms. The below is specific to blowfish, SHA-256 and SHA-512 which all return the salt within the hash. so please don't just copy the below blindly (and ideally use PDO instead of mysql extension).
Not storing the salt just makes life more difficult they still have to get the data being input to the algorithm right - but why make it easier?Ģb) VARCHAR(32) should be fine for blowfish, if not storing the hashģ) Assuming you've already run the proper injection prevention code, etc. Less strictly speaking, depends how defensive you wish to be against hackers. Set it with the strictest permissions possible ideally read only to web host service (e.g.
Also, store your salt in a file not accessible beneath the web server's document root and include it. 'salt' should not be random, or you would not be able to regenerate the same hash for a given input - see 3.Ģa) Strictly speaking, everything except the hash (in case database is compromised). 1a) Strength of encryption - requirement in the range of 4.31.
0 kommentar(er)
