0xf.at icon indicating copy to clipboard operation
0xf.at copied to clipboard
verified publisher icon HaschekSolutions

Potential wrong use of "salt"

Open RaederDev opened this issue 5 years ago • 0 comments

Hi I was just browsing through your code and saw how you registered users: https://github.com/HaschekSolutions/0xf.at/blob/master/models/usersmodel.php#L11

Maybe I don't fully understand your code yet but I think the salt here is static and it shouldn't be. The main point of having a salt is that if two users choose the same password and your data gets leaked the hashes won't be the same to slow down potential brute-force attacks. A salt should be generated for each new user and saved alongside their password. When it's time to hash the password again the salt should be applied. What you created here is known as a "pepper" and should only be used in addition to a proper salt when storing user passwords.

If you switch from using sha512 (which isn't ideal for hashing passwords anyway) to something like bcrypt a random salt will be included in the user password automatically. PHP now offers https://www.php.net/manual/en/function.password-hash.php which handles this automatically.

Greetings from Wien!

RaederDev avatar Jun 09 '20 20:06 RaederDev