Store Hash and/or Encryption salts in database

Question

I am doing a custom login for practice purposes, and i am wondering what would be the logical way to save the hashed password and the salts.

Salt/Hash operations are using Rfc2898DeriveBytes class.

As for now, it is like this:

The user registers, the password is encrypted with a random salt (which is saved to the database) and hashed with a hard-coded salt with 10000 iterations.

As the iterations can be raised in time due to computational improvements, i am saving the Hash iterations (the Encryption iterations are hard-coded) them on the database.

I would like opinions on how safe is a hard-coded hash salt, or if i should make it random and add the hash salt to the database too.

What is the purpose of the second salt if the password is already hashed with a first random salt? — Matthew Peters, Sep 28 '15 at 15:22

score -1 · Answer 1 · edited Sep 28 '15 at 16:11

-1

I would recommend you use a static string as a salt for example, "thisisstaticand10000characterslong". Use the password inside this ( $salt1.$post['password'].$salt2). Then hash it with MD5. If the user wants to login than you make the same method to check if the password entered by the user is correct.

if(md5(($salt1.$_POST['password'].$salt2) == $password)
{ 
    /* Your code */
}

edited Sep 28 '15 at 16:11

RoraΖ

12,317
4
51
83

answered Sep 28 '15 at 15:50

user87867

1
1

Never use a cryptographic hash to store user set passwords - it is far too fast. See the linked post (user bcrypt, pbkdf2 or scrypt instead). – SilverlightFox Sep 29 '15 at 07:44

Store Hash and/or Encryption salts in database

1 Answers1