Home/ Questions/Q 3801900
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-19T14:07:22+00:00

I’d like to use Portable PHP password hashing framework to hash passwords. But I

  • 0

I’d like to use Portable PHP password hashing framework to hash passwords. But I find that its demos don’t use salt for hashing a password. But it use a dummy salt for checking password which I find it strange and I don’t understand this idea at all,

$dummy_salt = '$2a$08$1234567890123456789012';

if (isset($dummy_salt) && strlen($hash) < 20)
        $hash = $dummy_salt;

I wonder, if I want to use convention method which I can generate the unique salt and store it for each user in my database, how can I use Portable PHP password hashing framework to generate salts?

This is the function I use to hash passwords but I have been told that sha512 has the same issue as sha1, wise to trust the expert like Portable PHP password hashing framework,

function hash_sha512($phrase,&$salt = null)
{
    //$pepper = '!@#$%^&*()_+=-{}][;";/?<>.,';

    if ($salt == '')
    {
        $salt = substr(hash('sha512',uniqid(rand(), true).PEPPER_KEY.microtime()), 0, SALT_LENGTH);
    }
    else
    {
        $salt = substr($salt, 0, SALT_LENGTH);
    }

    return hash('sha512',$salt.PEPPER_KEY.$phrase);
}

Let me know if you have any idea. Thanks.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    From the phpass article linked to from that page:

    Besides the actual hashing, phpass
    transparently generates random salts
    when a new password or passphrase is
    hashed, and it encodes the hash type,
    the salt, and the password stretching
    iteration count into the “hash
    encoding string” that it returns. When
    phpass authenticates a password or
    passphrase against a stored hash, it
    similarly transparently extracts and
    uses the hash type identifier, the
    salt, and the iteration count out of
    the “hash encoding string”. Thus, you
    do not need to bother with salting and
    stretching on your own – phpass takes
    care of these for you    .

    …so it’s not surprising that the examples don’t use salting! You may be over-seasoning your code.

    The code sample with the dummy salt is an example of how to prevent a timing attack by making sure that whether a user exists or not, the validation of the user takes the same amount of time, effectively by doing a dummy authentication for non-existent users. It needs a dummy salt because if the user doesn’t exist, it won’t have a stored salt to use.

    • 0