I have two fields in login table
- password
- salt
And I have this little function to generate salt
function random_salt($h_algo="sha512"){
$salt1=uniqid(rand(),TRUE);
$salt2=date("YmdHis").microtime(true);
if(function_exists('dechex')){
$salt2=dechex($salt2);
}
$salt3=$_SERVER['REMOTE_ADDR'];
$salt=$salt1.$salt2.$salt3;
if(function_exists('hash')){
$hash=(in_array($h_algo,hash_algos()))?$h_algo:"sha512";
$randomsalt=hash($hash,md5($salt)); //returns 128 character long hash if sha512 algorithm is used.
}else{
$randomsalt=sha1(md5($salt)); //returns 40 characters long hash
}
return $randomsalt;
}
Now to create user password I have following
$userinput=$_POST["password"] //don't bother about escaping, i have done it in my real project.
$static_salt="THIS-3434-95456-IS-RANDOM-27883478274-SALT"; //some static hard to predict secret salt.
$salt=random_salt(); //generates 128 character long hash.
$password =sha1($salt.$userinput.$static_salt);
$salt is saved in salt field of database and $password is saved in password field.
My problem, In function random_salt(), I m having this FEELING that I’m just making things complicated while this may not generate secure salt as it should. Can someone throw me a light whether I m going in a right direction?
P.S. I do have an idea about crypt functions and like such. Just want to know is my code okay?
Thanks.
This is obviously a security problem:
How did you set the seed for rand().? Where is you entropy pool?
As long as you can’t answer the salt has to be considered predictable. Remember: security doesn’t come from code obscurity.
If you choose a good PRNG all the other salts (e.g. server name, static long salt, time etc..) become irrilevant.