Welcome to our Secure Development Tips blog

Every other week, we provide expert tech tips on how to build and deploy secure applications.  These best practices, derived from Security Innovation’s assessments of the worlds’ most dominant software applications,  are taken directly from our TeamMentor product, which includes more than 3,500 guidance assets and articles on secure software design, coding and testing.    

Recent Security Innovation Blog Post:

Subscribe by Email

Your email:

Secure Development Tips

a blog with tips relating to secure application development, from Security Innovation's eknowledge database, TeamMentor

Current Articles | RSS Feed RSS Feed

Hash And Salt Passwords

  
  

Applies to

  • PHP

What to Do

Hash and salt stored passwords.

Why

Storing hashes instead of plain-text passwords assures that an attacker cannot easily recover the passwords if he gains access to the password files. Adding salt to hashed files makes hashes much harder to break with dictionary attacks. Hashing should be applied multiple times, because modern computers can perform hashing operations very quickly.

When

Hash and salt passwords whenever storing them.

How

Perform the following actions to hash and salt stored passwords:

  1. Generate a random salt value. Each bit of salt doubles the memory and computational requirements for dictionary attacks. Recommended salt lengths are 64-bit or more. Use a random number generator of your choice to generate a random number of required size. Use this number as the salt. The following example creates a salt 64 characters (256-bit) long:

$salt = hash('sha256', uniqid(mt_rand(), true) . $username);

  1. Concatenate the password and the salt. Use string functions to concatenate the password and the salt. Make sure your buffer is large enough to store the concatenated string to prevent buffer overflows. For example:

$storedHash = $salt . $password;

  1. Hash the password and the salt. Use a strong cryptographic hashing algorithm, such as SHA256, to hash the concatenated password and salt. For example:

for ( $i = 0; $i < 50000; $i ++ )
{
    $storedHash = hash('sha256', $storedHash);
}

  1. Store the hash and the salt. Store the hash in the file or database of your choosing. It is important to store both the hash and the salt, because the salt will have to be used when comparing user entered passwords to the hashed value.
  2. Implement password verification. During authentication, the password entered by the user should be checked against the hashed and salted value. To do this, retrieve the hash value and the salt from password storage. Concatenate user input with the stored salt, hash the resulting string and compare the resulting string against the stored hash. If the resulting hash is the same as the stored hash, the user has entered the correct password. In the following example, $userPassword is the user enter password that needs to be validated and $storedHash is the stored salted hash:

$salt = substr($storedHash, 0, 64);
$validateHash = $salt . $userPassword;
for ( $i = 0; $i < 50000; $i ++ )
{
    $validateHash = hash('sha256', $validateHash);
}
$validateHash = $salt . $validateHash;
if ($storedHash == $validateHash)
{
//The entered password is correct.
}
else
{
//The entered password is incorrect.
}

Additional Resources

 

Comments

Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics