Possible Duplicate:
How do you use bcrypt for hashing passwords in PHP?
I am researching the best and safest methods of encrypting and storing user passwords in a database for logins. One article I came across, Salted Password Hashing – Doing it Right, provides a fairly complicated-looking set of functions for encrypting and checking passwords.
I understand how the code works, but the article also mentions storing not only the hashed password in the database, but the salt as well. How would I go about doing that, using the given code? For example:
// User registers with username and password; assume they're already validataed
$hash = create_hash($password_entered);
$password_hash = $hash[HASH_PBKDF2_INDEX];
$salt = $hash[HASH_SALT_INDEX];
$PDO = new PDO('mysql:host=localhost;dbname=myDatabase', $username, $password);
$statement = $PDO->prepare('INSERT INTO users (username, password, user_salt)
VALUES (:username, :password; :user_salt)');
$statement->execute(array(
':username' => $username_entered,
':password' => $password_hash,
':user_salt' => $salt,
));
That seems right… however, when verifying a login, I’m not sure what to check against the entered password from the login form. The compiled hash returned by create_hash() gives a colon-delimited list of values. I’m just not sure where to go from here, or if this source code is even worth using.
I haven’t used this code but I’m pretty sure you should not save user_salt separately in a column of your user table. User salt will be included in the hash (location 3 in a colon delimited hash). In your login script, get the password user has entered, and call the following function: