2

I'm thinking about using password_hash function for generating password hashes. I have read that own salts shouldn't be generated and instead use the default one that the function generates. Own salts are even deprecated (from manual page).

Warning
The salt option has been deprecated as of PHP 7.0.0. It is now preferred to simply use the salt that is generated by default.

Anyway, I still feel like I should add own system wide salt like this:

$system_salt   = 'system_secret_key';
$hash          = password_hash($password.$system_salt, PASSWORD_BCRYPT);

So, if anyone would gain an access to the database, but not the scripts, even after cracking the password, he would only find salted password (or collision) that would not be usable on other sites.

  1. Is this a good approach?
  2. Can this make hashes less secure (easier to crack) as they all will have same sequence of characters (system wide salt) at the end?
Buksy
  • 123
  • 6

1 Answers1

0

There are two main problems with this approach:

Someone trying to bruteforce a single password will still have to go through the same amount of computations, but someone trying to get the password for multiple users will have to compute only one table for all the users on your system. But the more important problem is that it's a deprecated function, which means that maybe you can't rely on it after a few more updates and thus your code might not run anymore as soon as the function is removed from a future PHP update.

Pascal Sommer
  • 185
  • 2
  • 10