I'm trying to correctly do a per user and site wide salt for my passwords. Here's what I've got:
require('../../salt.php'); //this is above the web root and provides $salt variable $pw = mysql_real_escape_string($_POST['pw']); $per_user_salt = uniqid(mt_rand()); $site_salt = $salt //from salt.php that was required on first line $combine = $pw . $per_user_salt . $site_salt; $pw_to_put_in_db = hash("sha512", $combine);
Is this right? Thanks
Based on comments here is what I'm going to do:
$combine to something that is unique per user but not stored in db. So something like:
$combine = $pw . md5($pw) . 'PoniesAreMagical' . $site_salt . md5($pw);, etc etc etc... Thanks for the help...
So - for those of you trying to figure out how to do this for the first time (like me)... its all about the algorithm... make something obscure, unique, difficult to figure out; because if someone wants to get into your system, they are going to have to figure this out. Thanks to all for awesome comments.
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki