Hashing (with salts) Username and Password in php

Question

I am creating a user login function but I've seen mixed views on the best way to do this.

Here's what I was thinking of doing...

• Hashing the Username using 2 hashed salts which are based on substrings of the username.
• Hashing the password using 2 randomly generated hashed salts which are held in a table with the password and username.

Is this overkill, wrong, or even not secure enough??

Answer 1

Salting protects against rainbow tables, so having 2 salts isn't going to be any better than 1. The hacker needs to know the salt in order to crack your password with a rainbow table, the only way they can do that is if they have access to the database table. And if they have that they have both salts anyway.

The longer the password the harder it will be to do it with brute force, so a longer password is going to be better than extra salt.

Salting and hashing your username will add unwanted over-head every time you read the username from database. With the password you only need to salt and hash at log-on.

Ideally use something like BCrypt where the cryptographic hashing function can be adaptively slowed down over time as moore's law continues. This will reduce the chance of a brute force attack.

Answer 2

I'd say that hashing the username is overkill, as is two salts for the password. One salt would be sufficient.

Be sure to use a secure hashing algorithm, such as SHA-512.

Answer 3

Like others said, hashing username is overkill and one salt is enough. Use algorithm which is mathematically slow - it would be slow for the cracker too.

Answer 4

Salting your password once is enough. Having two salts is basically equivalent to generating a longer salt.

Hashing usernames will make it more difficult for you to manage your users than making the login more secure. Consider making a list of your current users, but all you have is the hashed versions? Remember that the point of hashing is to an irreversible 'encryption' of your data.

Consider using crypt() for hashing your password. Especially notice the Blowfish method as this is considered to be the safest hashing method currently.

Answer 5

I just answered another SO question going into great detail on how to handle logins and password security. It may be worth a read. (Some tidbits: Username has no need to be salted. Password definitely should be salted, but once is all you need. I use SHA-256.)

Answer 6

There really is no need to hash you username field, that should be something you are willing to display on the webpage while keeping your system secure. That being said, while it is unnecessary, it can't hurt if your willing to put up with it.

Adding two salts is rather pointless if they both come from and are stored in the same place. Rather than doing this, I would use a permutation of the username as a salt, along with a long random string that you randomly generate and store in your database. If you are still paranoid, (which, I would guess you are by the whole "hash the usernames" thing) I would consider adding a third salt which you use throughout your application.

Also, very important:

Make Sure You Use a Strong Hash Function

Make sure you use a secure hash function. whirlpool, sha256 and up, tiger, or whatever else you can use (check hash_algos() ). Also, take a look at implementing bcrypt, which is very slow ( How do you use bcrypt for hashing passwords in PHP? ).