⊗ppPmAuRHS 424 of 447 menu

Adding Salt to Registration

So, you already know that hashing via md5 is an irreversible process, and a hacker who gains access to the hash will not be able to retrieve the password from this hash.

In fact, this statement is not entirely true - currently, evil hackers have compiled libraries of hashes for popular and not-so-popular passwords, and any fool can crack a password simply by googling its hash.

This applies to fairly simple, popular passwords.

Google, for example, the hash 827ccb0eea8a706c4c34a16891f84e7b and you will immediately see in the Google search results that it is the password '12345'.

Hashes of sufficiently complex passwords cannot be cracked this way (try it).

You might ask, what's the problem then - let's all register with complex passwords. However, there is a problem - most users do not think about the security of their data and may enter rather simple passwords.

During registration, we can force users to come up with longer passwords by limiting, for example, the minimum number of characters to 6 or 8, however, passwords like '123456' or '12345678' will still appear.

Of course, we can come up with a smarter algorithm for checking password complexity, but there is another solution.

The essence of this solution is: passwords must be salted. Salt is a special random string that will be added to the password during registration, and the hash will be calculated not from the plain password, but from the string salt+password, i.e., from the salted password.

That is, during registration, you will do something like this:

<?php $salt = '1sJg3hfdf'; // salt - a complex random string $password = md5($salt . $_POST['password']); // convert the password to a salted hash ?>

In this case, the salt will be different for each user, it needs to be generated randomly at the time of registration.

Here is a ready-made function that will do this:

<?php function generateSalt() { $salt = ''; $saltLength = 8; // salt length for($i = 0; $i < $saltLength; $i++) { $salt .= chr(mt_rand(33, 126)); // symbol from ASCII-table } return $salt; } ?>

Using this function, we can rewrite our code like this:

<?php $salt = generateSalt(); // salt $password = md5($salt . $_POST['password']); // salted password ?>

I repeat, these were changes during registration - we save not just the password hash to the database, but the hash of the salted password.

That's not all: in the user table, besides the fields login and password, we need to create another field salt, in which we will store each user's salt.

Implement the registration described above with a salted password.

byenru