password_hash(): Stop salting your passwords!Thunder Raven-Stoker
Apr 2nd, 2015
You should be allowing the
password_hash() function to create dynamic salts for you. Here's how and why.
One of the most common mistakes that a less well informed PHP developer will make when it comes to the process of hashing a password is to come up with their own "super secret algorithm" instead of following the better practice of using the generally approved of and recommended by many approach of employing the language's own
I wrote about why it's such a mistake to come up with your own algo in this article here.
The idea of rolling your own also extends to the notion of providing a custom salt, either dynamically like this:
// config.php $myCustomSalt = mt_rand();
Or, far far worse, like this:
// config.php $myCustomSalt = 'super!secret*unguessable&string';
Yet doing so is to actively make your password hash security far far worse than it needs to be. Done correctly, your passwords should be dynamically salted (a different salt for every hash) and that salt should be properly constructed.
Doing so will help to ensure that your password hashes are resistant to both rainbow table attacks and brute force cracking (if done with an expensive enough hashing cost).
Fortunately, you don't even have to worry about generating a good quality salt. Instead, you can leave such matters to the experts by simply not providing your own.
Faulty custom made salt provision is such an extensive problem that it seems likely that the ability to provide your own salt will be removed in future versions of PHP (version 7 specifically although it may get back ported, but that couldn't be done with breaking backwards compatibility). This might seem like a little too much handholding but I believe that when it comes to security, following the right process as devised by the experts in their field is to be lauded.
To help ease the adoption of doing password hashing a better way (by letting the password_hash() function itself handle dynamic salt generation), I've provided an easy to use library on github that you can include in your own projects. It's also installable via composer as the package 'vanguard\passman'
Here are the links:
- Github: https://github.com/vanqard/passman
- Packagist: https://packagist.org/packages/vanqard/passman
What do you think? Please comment below.
And if you agree with the content, please share this article with the social buttons below.
Thank you for reading.