It is a good idea to use a password as salt

Question

It is a good idea to use a password as salt

I read in many articles that we must combine a unique salt for each password before hashing and store the salt in the database for verification, but what about using the password itself as a salt?

Doing this will be useful because the salt will be unique to everyone and will also be hidden because it will not be stored where.

A simple example that I can give above is:

$hashToStore=sha1(strrev($password).$password);

Above, I just change the password and use it as salt (I will do something more complex and then just cancel it during the development process.)

Is this the best way to store passwords or would be bad practice.

PS: I am fully aware of the latest built-in php functions, such as crypt()using them in the real world, but still wanted to see above.

+4

php password-storage

Shubanker Jun 25 '14 at 18:29

source share

2 answers

, . , , - .

? LinkedIn, " ". " ", , , . EVERYONE ELSE, .

0

Andrew McGivery 25 . '14 18:47

joaofgf · Accepted Answer · 2014-06-25T18:38:28+0000

. , . , , , . - , . , . , , , .
, .

[...] -, , . , , . , , . , , . , - , , , .

-, .

md5(sha1(password))
md5(md5(salt) + md5(password))
sha1(sha1(password))
sha1(str_rot13(password + salt))
md5(sha1(md5(md5(password) + sha1(password)) + md5(password)))

.

(CSPRNG). CSPRNG , rand() C. , CSPRNG , , . , , CSPRNG. CSPRNG, . (PHP: mcrypt_create_iv, openssl_random_pseudo_bytes)
. , , . . , . , , . .
CSPRNG.
-, SHA256.
.
.
.
. , . .
PHP, #, Java Ruby.
-
-, , . JavaScript " " ?
JavaScript, . -, . , - , . , , , .
, - . , , - . , , ! , - -, , - .
, , , . , , , :
HTTPS (SSL/TLS). , -- JavaScript, .
- JavaScript, JavaScript . , JavaScript - , .
. , script . , , . ( ) , , ( ), (, ) , .

: https://crackstation.net/hashing-security.htm

, , , .

It is a good idea to use a password as salt

More articles: