Geek Answers Handbook

Where is the best place to store a password salt for a website?

I have two salts, each user has a unique salt, which is stored with user information in the database. The second salt is the one that refers to the website. Both of them are necessary for hashing passwords.

The problem is that I do not know where I should save my site. Now it is in the PHP method, which runs the hash algorithm. Should I store it in a file outside / var / www / and open PHP and read the file? I do not want to store it in the database, because it will violate the goal of creating two salts if my database is compromised.

Any suggestions?

+6
security php passwords salt storage
source share
5 answers

One option not yet specified? The environment variable served by the server. You can do this in httpd.conf or in .htaccess. Since Apache does not serve .htaccess files, you don’t have to worry about hiding it as much as possible ...

SetEnv WEBSITE_SALT 232lhsdfjaweufha32i4fv4239tauvkjn

Thus, all you need to do in your application is $salt = getenv('WEBSITE_SALT'); . The advantage here is that it is transparent to the application ...

+11
source share

Yes, save it in a PHP configuration file somewhere, preferably in a folder above the directory, which is the web root.

+5
source share

Saving the site salt in a file that can never be served is your best option here. It makes no sense to encrypt the salt or keep it together with others, as you indicated. Just make sure that the file that you store in it cannot be sent if requested (outside the root www works) and make sure that it has the appropriate permissions.

0
source share

Just insert it into the variable inside the .php file. For a small amount of added security by suspense, you can save it in (say) base64 encoded format and name the variable something completely harmless, for example

 $this_is_not_the_salt_you_are_looking_for = base64_decode(.... encoded salt string here ...);

For an extra extra security bit, place the .php file somewhere outside the web root, so if for some reason the web server configuration takes off and starts serving the raw PHP code, a file containing salt information is directly accessible .

0
source share

Most people will store persistent salt in a configuration file. This is good, but the whole point of using SALT is to prevent your data from being read by an external source.

I saw how many people actually store salt in the database in the accounts field. Here's a twist though. It was uniquely created when creating an account, so each user has a unique salt.

It's not about salt, though - about how you encrypt data.

 sha1($password.md5(md5($password.md5($salt))))

Even with salt, you probably can never crack it. Therefore, do not worry about storing it in your database if you decide to switch to a unique account. Just make sure your encryption process is strong!

-3
source share

More articles:


All Articles