php - How to random salt for SHA512

14

Currently im using php5 for my hashing of my password. I want to know how to change the random salt for SHA512. After i change the following code from sha1 to sha 512, my hashing failed. Below is my code for hashing my password:

public function hashSSHA($password) {

    $salt = mhash(rand());
    $salt = substr($salt, 0, 15);
    $encrypted = base64_encode(bin2hex(mhash(MHASH_SHA512, $password . $salt, true) . $salt));
    $hash = array("salt" => $salt, "encrypted" => $encrypted);
    return $hash;
}

/**
 * Decrypting password
 * @param salt, password
 * returns hash string
 */
public function checkhashSSHA($salt, $password) {

    $hash = base64_encode(bin2hex(mhash(MHASH_SHA512, $password . $salt, true) . $salt));

    return $hash;
}

I managed to register a new user but when i try to log in with the registered user, it will tell me that my username or password is where. So i want to know where i have done wrong. thanks!

565

Answer

Solution:

rand() is supposed to have a different value each time you use it, so the salt is different when the user registers and when he tries to log in. Try to give a static value to the salt, like 'sdfj3209r34r4' for example, and see if it works. This is weak though as everyone would have the same salt.

An alternative would be to use something that is not common for everyone but is also 'static'. This means that it's different from each user but keeps being the same for each user.

One example of the later would be to use a md5 of the password as the salt, the username, the user's city or whatever data that you have available that you know that it's NOT going to change (and if it changes, request the password and create the new hash, as many sites do). I didn't realize of it until now answering this question, that could be another reason why places as www.hotmail.com request the password when you change some 'private' information, because they have to rebuild the hash.

There is A LOT of information about salts in other stackoverflow questions.

EDIT. Try this:

public function hashSSHA($password) {

    $salt = mhash(MHASH_SHA512, $password);
    $encrypted = base64_encode(bin2hex(mhash(MHASH_SHA512, $password . $salt, true) . $salt));
    $hash = array("salt" => $salt, "encrypted" => $encrypted);
    return $hash;
}

/**
 * Decrypting password
 * @param salt, password
 * returns hash string
 */
public function checkhashSSHA($salt, $password) {

    $hash = base64_encode(bin2hex(mhash(MHASH_SHA512, $password . $salt, true) . $salt));

    return $hash;
}

Also, are you sure that your $salt inside checkhashSSHA is the same as the one done by hashSSHA? Because variables are LOCAL normally (they only work inside the same function). This means that you need to have the same script,$salt = mhash(MHASH_SHA512, $password);, outside the function to create the salt. If you do so, this is REALLY redundant, if you don't do so, the $salt has no value inside the second function. Please provide some more code.

People are also looking for solutions to the problem: PHP Sessions and iPhone

Source

Didn't find the answer?

Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.

Ask a Question

Write quick answer

Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.

Similar questions

Find the answer in similar questions on our website.