0

I am doing a custom login for practice purposes, and i am wondering what would be the logical way to save the hashed password and the salts.

  • Salt/Hash operations are using Rfc2898DeriveBytes class.

As for now, it is like this:

  • The user registers, the password is encrypted with a random salt (which is saved to the database) and hashed with a hard-coded salt with 10000 iterations.

As the iterations can be raised in time due to computational improvements, i am saving the Hash iterations (the Encryption iterations are hard-coded) them on the database.

I would like opinions on how safe is a hard-coded hash salt, or if i should make it random and add the hash salt to the database too.

Dillinger
  • 131
  • 6

1 Answers1

-1

I would recommend you use a static string as a salt for example, "thisisstaticand10000characterslong". Use the password inside this ( $salt1.$post['password'].$salt2). Then hash it with MD5. If the user wants to login than you make the same method to check if the password entered by the user is correct.

if(md5(($salt1.$_POST['password'].$salt2) == $password)
{ 
    /* Your code */
}
RoraΖ
  • 12,347
  • 4
  • 51
  • 83
user87867
  • 1
  • 1
  • Never use a cryptographic hash to store user set passwords - it is far too fast. See the linked post (user bcrypt, pbkdf2 or scrypt instead). – SilverlightFox Sep 29 '15 at 07:44