Friday 19 July 2019

Static Salt vs Random Salt - Security PHP



Is there any working difference between



$hash=sha1($key.$staticSalt);



and



$hash=sha1($key.$randomSalt);


If i use random salt i need to store the random salt in the database, on the other side if i use a fixed salt then no need to use DB !
And if the code can be hacked to see the salt (static) then the hacker will be able to see the database also with the hash and random salt :D
So does it worth it ?
What if i use a salt like @#kiss~89+.&&^me ?


Answer



Random salts have a tremendous benefit. If all accounts in the system use the same salt, an attacker can brute-force calculate hashes for that salt and break into all accounts with just one computational run. If they use different salts per account, brute-force only gets you into one account.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

php - file_get_contents shows unexpected output while reading a file

I want to output an inline jpg image as a base64 encoded string, however when I do this : $contents = file_get_contents($filename); print &q...