You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Maybe I don't fully understand your code yet but I think the salt here is static and it shouldn't be. The main point of having a salt is that if two users choose the same password and your data gets leaked the hashes won't be the same to slow down potential brute-force attacks. A salt should be generated for each new user and saved alongside their password. When it's time to hash the password again the salt should be applied. What you created here is known as a "pepper" and should only be used in addition to a proper salt when storing user passwords.
If you switch from using sha512 (which isn't ideal for hashing passwords anyway) to something like bcrypt a random salt will be included in the user password automatically. PHP now offers https://www.php.net/manual/en/function.password-hash.php which handles this automatically.
Greetings from Wien!
The text was updated successfully, but these errors were encountered:
Hi I was just browsing through your code and saw how you registered users: https://github.com/HaschekSolutions/0xf.at/blob/master/models/usersmodel.php#L11
Maybe I don't fully understand your code yet but I think the salt here is static and it shouldn't be. The main point of having a salt is that if two users choose the same password and your data gets leaked the hashes won't be the same to slow down potential brute-force attacks. A salt should be generated for each new user and saved alongside their password. When it's time to hash the password again the salt should be applied. What you created here is known as a "pepper" and should only be used in addition to a proper salt when storing user passwords.
If you switch from using sha512 (which isn't ideal for hashing passwords anyway) to something like bcrypt a random salt will be included in the user password automatically. PHP now offers https://www.php.net/manual/en/function.password-hash.php which handles this automatically.
Greetings from Wien!
The text was updated successfully, but these errors were encountered: