Welcome to our Secure Development Tips blog

Every other week, we provide expert tech tips on how to build and deploy secure applications.  These best practices, derived from Security Innovation’s assessments of the worlds’ most dominant software applications,  are taken directly from our TeamMentor product, which includes more than 3,500 guidance assets and articles on secure software design, coding and testing.    

Recent Security Innovation Blog Post:

Subscribe by Email

Your email:

Secure Development Tips

a blog with tips relating to secure application development, from Security Innovation's eknowledge database, TeamMentor

Current Articles | RSS Feed RSS Feed

Hash And Salt Passwords


Applies to

  • PHP

What to Do

Hash and salt stored passwords.


Storing hashes instead of plain-text passwords assures that an attacker cannot easily recover the passwords if he gains access to the password files. Adding salt to hashed files makes hashes much harder to break with dictionary attacks. Hashing should be applied multiple times, because modern computers can perform hashing operations very quickly.


Hash and salt passwords whenever storing them.


Perform the following actions to hash and salt stored passwords:

  1. Generate a random salt value. Each bit of salt doubles the memory and computational requirements for dictionary attacks. Recommended salt lengths are 64-bit or more. Use a random number generator of your choice to generate a random number of required size. Use this number as the salt. The following example creates a salt 64 characters (256-bit) long:

$salt = hash('sha256', uniqid(mt_rand(), true) . $username);

  1. Concatenate the password and the salt. Use string functions to concatenate the password and the salt. Make sure your buffer is large enough to store the concatenated string to prevent buffer overflows. For example:

$storedHash = $salt . $password;

  1. Hash the password and the salt. Use a strong cryptographic hashing algorithm, such as SHA256, to hash the concatenated password and salt. For example:

for ( $i = 0; $i < 50000; $i ++ )
    $storedHash = hash('sha256', $storedHash);

  1. Store the hash and the salt. Store the hash in the file or database of your choosing. It is important to store both the hash and the salt, because the salt will have to be used when comparing user entered passwords to the hashed value.
  2. Implement password verification. During authentication, the password entered by the user should be checked against the hashed and salted value. To do this, retrieve the hash value and the salt from password storage. Concatenate user input with the stored salt, hash the resulting string and compare the resulting string against the stored hash. If the resulting hash is the same as the stored hash, the user has entered the correct password. In the following example, $userPassword is the user enter password that needs to be validated and $storedHash is the stored salted hash:

$salt = substr($storedHash, 0, 64);
$validateHash = $salt . $userPassword;
for ( $i = 0; $i < 50000; $i ++ )
    $validateHash = hash('sha256', $validateHash);
$validateHash = $salt . $validateHash;
if ($storedHash == $validateHash)
//The entered password is correct.
//The entered password is incorrect.

Additional Resources



Post Comment
Website (optional)

Allowed tags: <a> link, <b> bold, <i> italics