I recently began work on a project and it contains the following function to hash passwords :
function hash_password($password) {
$account_id = $this->account_id;
/*
* Cook up some randomness
*/
$password = str_rot13($password);
$random_chars = "1%#)(d%6^".md5($password)."&H1%#)(d%6^&HB(D{}*&$#@$@FEFWB".md5($password)."``~~+_+_O(Ed##fvdfgRG:B>";
$salt = $account_id;
$salt = ((int)$salt * 123456789) * 1000;
$salt_len = strlen($salt);
for($i=0; $i <= $salt_len; $i++) {
$salt .= $random_chars[$i];
}
$salt = str_repeat($salt, 3);
return hash('sha256', base64_encode($password.$salt.$password), false);
}
*$account_id is unique to each user account.
My question is : Is this function any more secure than doing something as simple as :
$salt = sha1($account_id);
$hash = hash('sha256', base64_encode($password.$salt), false);
Cheers!
Using the account ID as a salt is probably not a good idea – if someone can steal your hashed passwords, then they can probably get the account ID’s too. Having a more convoluted hash in code in this instance is therefore probably more secure, provided that the code is also well protected. Using a known random string as the salt in the code means that someone would have to hack both your data and your code in order to attack passwords – that has to be better than just having to attack the database alone.