stackoom
  简体   繁体   中英

How to generate password salt with codeigniter

 原文  2014-09-08 09:07:29       php/ codeigniter/ security/ password-protection/ password-encryption

Question

Sorry for being new in php programming, in my old project I use MD5 to encrypt the password, however, it is not secure enough and I found some resource on the internet suggest using password salt instead.

The problem is , I am using codeigniter, is there any helper/ library for this purpose / how to change my old code to support the generation of the password salt?

Thanks for helping. I am using PHP 5.2

And here is the old code to validate, while the user account generate by storing the md5($password); 

function validate_credentials() {
        $this->load->model('Secure_model');

        $username = $this->input->post('username');
        $password = md5($this->input->post('password'));

        $is_valid = $this->Secure_model->validate('customer', $username, $password);

        if ($is_valid) {
            $data = array(
                'user_id' => $this->get_user_id($username),
                'user_name' => $username,
                'is_logged_in_user' => true
            );
            $this->session->set_userdata($data);
            redirect('profile');
        } else {
            $data['message_error'] = TRUE;
            $data['main_content'] = 'front/login';
            $this->load->view('front/includes/template', $data);
        }
    }

5 answers

solution1
 6 ACCPTED  2014-09-08 14:12:27

If you are really stuck with PHP 5.2 your best bet will propably be the phpass library, because there is no PHP support of the BCrypt algorithm.

PHP versions 5.3 and later will have native support of BCrypt, so you can use the PHP function password_hash() to hash a password. There is a compatibility pack for versions before 5.5. 

// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);

// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);

In every case you are doing right with discarding MD5 and switching to another algorithm. Make sure that you use an algorithm with a cost factor like BCrypt or PBKDF2, fast algorithms like SHA* are not appropriate to hash passwords. Salting is mandatory, though the salt can be stored in the database, it fulfills its purpose even if it is known.

solution2
 2  2014-09-08 13:45:36

look this part of my code I use to register an user: 

public function addUser($data){
$sql = "INSERT INTO `user` salt=" . $this->db->escape($salt = substr(md5(uniqid(rand(), true)), 0, 9)) .", password=".$this->db->escape(sha1($salt . sha1($salt . sha1($data['password'])))).".......";
$this_>db->query($sql);

The information of salt and password are stored in your user table. To retrieve the information and validate the password you do this: 

$query = $this->CI->db->query("SELECT * FROM `user` WHERE email =".$this->CI->db->escape($email)." AND password = SHA1(CONCAT(salt, SHA1(CONCAT(salt, SHA1(" . $this->CI->db->escape($password) . ")))))");

solution3
 1  2014-09-08 11:42:21

Here are some simple solutions.

  • You can use sha* hash functions , be careful in using md5 since it has a higher rate of collisions than sha ,

  • and also about your problem with salt, it is ok if you dont salt your password, just make sure your users use a very good password with a combination of lower and upper cases and with numbers and make them lengthy.

I would like to advise you to use bcrypt but since you are using 5.2 it has a bug on that version and certain password libs like PHPPASS and PHPLIB Cater Only to 5.3 and above. Best option is to upgrade to 5.3 so that you can use the php libs, but take care full caution the scripts.

solution4
 1  2014-09-08 14:23:43

As far as I know codeigniter does not have a built-in function for this...

To make a hash with PHP you need

  • the password
  • a true random salt
  • a slow hashing algorithm

By PHP your can create a true random salt by using mcrypt_create_iv() .

To make the hash, you can use the crypt() or password_hash , which supports slow algorithms, like CRYPT_BLOWFISH . Forget md5, or sha1, they are too fast, so with the proper tool it is possible to find out passwords hashed by them. 

$salt = mcrypt_create_iv(22, MCRYPT_DEV_URANDOM);
$hash = password_hash($password, PASSWORD_BCRYPT, array('cost' => 11, 'salt' => $salt));

The password_hash() function can generate a true random salt automatically, so you don't have to generate it manually if you don't want. The salt will be appended to the hash.

Sadly PHP 5.2 does not have CRYPT_BLOWFISH support . So you have to use the PHPASS lib.

solution5
 0  2019-07-29 12:11:24

You should set a $config['salt] = '$%#~De@';// in your config file

//Inside your model or controller where you are getting your post values $password = sha1($this->config->item('salt').$this->input->post->('password')));

This should give you has password

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to Generate Random Password in Codeigniter for forgot password How can i use Salt with a password in codeigniter when retrieving salt from the db How does PHP's password_hash generate the salt? How to reset password,Salt How to hash a password with random salt? How to add salt in user password? How do I generate the same encrypted database password string value with crypt() and my salt? how to implement encryption library properly with salt in CodeIgniter? PHP Issue: password_hash function is not able to generate a salt How to include random salt with password variable in php
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM