0

I heard it was good practice to have each user have a unique salt, when I'm hashing a user's password with a salt. My question is, can I make my salt a hash of the user's username? Ex.

$username_hash = hash($username);
$pwd_hash = hash($username_hash + $password);

Would something like that be considered acceptable? And more importantly, secure?

Edit:

I know I could do

    $pwd_hash = hash($username + $password);

But if I do that it doesn't protect from rainbow tables, although a hash of the username would.

Alex Jone
  • 103
  • 3
  • 6
    No. Please read: https://stackoverflow.com/a/1645190/22674 – Jacco Oct 29 '17 at 14:27
  • 2
    Possible duplicate of [Is it a good idea to use the user's username as a salt when hashing a password like hash(username\_str + password\_str)?](https://security.stackexchange.com/questions/69421/is-it-a-good-idea-to-use-the-users-username-as-a-salt-when-hashing-a-password-l), [Why not use username as a password salt?](https://security.stackexchange.com/questions/150007/why-not-use-username-as-a-password-salt), [Is it acceptable to generate salts with a hash of the username?](https://security.stackexchange.com/questions/39492/is-it-acceptable-to-generate-salts-with-a-hash-of-the-username). – Steffen Ullrich Oct 29 '17 at 17:46
  • 2
    Consider using a well-developed framework or authentication library that handles these implementation details properly. – multithr3at3d Oct 29 '17 at 18:12

1 Answers1

3

No.

Remember that people tend to reuse passwords from service to service. If two systems use your scheme and someone uses the same username and password on both systems, then they will end up with the same hash in both cases.

Salts aren't secret, and technically the randomness requirement on them isn't as strong as what is required for cryptographic keys, it is best to generate them the same what that you would generate keys just to avoid this and other sorts of mistakes that people make when creating salts.

Jeffrey Goldberg
  • 5,839
  • 13
  • 18