Home/ Questions/Q 3602314
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-18T20:43:51+00:00

I’m currently going over my user registration code. The part I’m focusing on right

  • 0

I’m currently going over my user registration code. The part I’m focusing on right now is the password hashing part.

What I do is get a static_salt from a config file, and use mt_rand() to generate a dynamic_salt. What I want to do is have this dynamic_salt stored in my database.

But if I pass the dynamic_salt() method to the create method in order to send it to the salt column of a table in my database it will just run the method again and create a different result from the one produced in my hashed() method.

What would be the best way to achieve what I’m trying to achieve, could you show me an example if possible?

public function create() {

                $dbcolumn->password = $this->hashed();
                $dbcolumn->salt = $this->dynamic_salt;
                $this->db->insert('users', $dbcolumn);

    }

public function dynamic_salt() {

            $get_dynamic_salt = mt_rand();
            return $get_dynamic_salt;
}

public function hashed() { //hashing method, that also makes
            // sha1 and salt password
            $static_salt = $this->config->item('encryption_key'); //grab static salt from config file
            $dynamic_salt = $this->dynamic_salt();

        $password = $this->encrypt->sha1($this->input->post('password')); //encrypt user password
            $hashed = sha1($dynamic_salt . $password . $static_salt);

            return $hashed;
}
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I recommend that you don’t use a dynamic salt, as it will reduce your applications flexibility and is likely not to work in it’s current form.

    The purpose of a salt is to prevent against dictionary attacks that someone could do if they obtained your user database. In that regard, a static salt is definitely a good idea to implement in your application.

    Adding a dynamic salt to each user would mean that you will have to hit a datastore to retrieve the dynamic salt and the hashed version of the user’s password, then you will have to perform the CPU intensive hash function (in your code, twice — you are hashing a hash which is less secure and more likely to have collisions).

    Having a simple known, static salt, and a hashed password will allow you to use key/value storage systems like memcache should you application grow. Store the userid as the key and the users hashed password as the value and you will have a lightening fast authentication system.

    • 0