php/MySQL: take a password, add a little salt and md5 the whole lot!

[concreteDonkey]

I'm quite new to making php/MySql websites.

I'm making one at the moment and the security of people's passwords is on the agenda at the moment.

This method of adding a random 'salt' to a password before encrypting and storing it has been brought to my attention.

Everyone who suggests using a salt says the same thing about storing it separately to the encrypted password, but nobody says where?

Does it just have to be in a separate table?

Or a completely different database?

 

[pcthuglife]

I've never used this technique. Personally I just use the 'PASSWORD' function built into MySQL. I'd imagine you could keep your 'salt' in an include file outside of the document root. This way the only way it could be accessed is by using a server side include. That's how I store my MySQL connection info.

Say your document root is /var/www
You could store a salt.php file in /var/secure and use
include ("/var/secure/salt.php"); at the top of your page.

 

[concreteDonkey]

How would that work?
There is a random salt for every single user, so what would be in the salt.php file?
Every username with it's corresponding salt?

 

[pcthuglife]

Oh i didnt realize their was a random salt for each user. Yeah storing it in a mysql table would be your best bet. I don't think a separate database would be necessary.

 

[concreteDonkey]

That's what i thought.

While there's someone around who's reading this thread...

This is the first website I've made where people will be buying things (probably using paypal).

What other security measures should I be taking? I don't expect anyone to give me detailed instructions on what to do, just mention a few things I can look into.

Thanks

 

[sourceninja]

Why exactly are you taking this measure of security. Is the web server and the database server 2 seperate box's? Are you afraid of remote attacks or local ones?

This seems pointless and un-nessisary to me.

 

[torpid]

Often times people will use other info about the user that you already have as the salt plus some constant. I've even seen people suggest using the username.

 

[concreteDonkey]

How is it pointless to be encrypting passwords? It seems entirely necessary to me.

All I am doing is being a little more cautious by adding this random salt.

 

[Thyme]

He's saying it's pointless to elaborately salt your passwords when someone would have to have access to your tables in the first place to crack them at all.

Anyway, you can use a public salt if you want and you'd probably still be ok. It's really most helpful to protect against searchable md5 databases.

 

[GeekDrew]

I personally encode passwords using a combination of a unique salt (per user, stored in the same table as the user info, including password, is) and static salt (have it stored in a php outside of the web root). That works well enough for me. I believe that vBulletin uses an md5 has for authentication, and it's based on password, salt, and license#, if I recall correctly.

<edit>

Also, it's a fairly bad idea to use MySQL's PASSWORD function... and IIRC, it says that in the MySQL documentation. I didn't know that initially, and my host upgraded versions of MySQL... and the PASSWORD function was changed, and was not backwards compatible. :| I no longer rely on that.

 

[concreteDonkey]

Thanks GeekDrew!

That's the sort of info I'm looking for folks.

Congratulations to the first person who actually answered the question.

Thanks for all the replies anyway.