Adding a SALT to your passwords

[Outer]

Well, adding SALT's to your passwords are basically an added security type of thing.

Usually people just add them to the back or front of the string or something of the sort. I broke up the password and salt and put them "side" of each other basically.

This script breaks up the md5 32-bit md5 password, adds a random SALT to it if you dont already have a SALT, then combines them and returns a 64-bit virtually unbreakable password (ofc anything can be broken, thats why I said "virtually" :P)

<?php
function add_salt ($password, $salt = FALSE)
{
    // The number of characters you want in each piece of the array
    $char_num = 4;
    // The $password variable MUST be md5 BEFORE it is run through the script
    // This splits the string into arrays of 4 characters
    $string = str_split($password, $char_num);

    if ($salt == FALSE)
    {
        // Create your own SALT
        // We use MD5 on this method also to make sure its 32 characters
        // This also makes it EXTREMELY harder to guess!
        $salt = md5(uniqid(rand(), true));
    }
    
    // Now that the SALT is set or was already set, we can now divide the salt and
    //  start alternating entering the data
    $salt = str_split($salt, $char_num);
    
    $i = 0; // set it for the SALT identifier
    foreach ($string AS $part)
    {
        $final_password[] = $part.$salt[$i];
        $i++;
    }
    
    return implode($final_password);
}

$password = add_salt(md5("This is a password"));
echo $password;

?>

When using this with a DB, just add a field in the users table named SALT and insert the SALT when it is created. You will need to add some kind of user identifier with that also

 

[Amnezia]

very nice post! thanks for sharing

 

[allabout42]

Hmmm, this code script can be useful, thanks!

 

[axilant]

Before anyone goes and tries this, the function str_split() requires php5.

http://us2.php.net/str_split

if (!function_exists('str_split')){
     function str_split($string, $split_length=1){

         if ($split_length < 1){
           return false;
         }

         for ($pos=0, $chunks = array(); $pos < strlen($string); $pos+=$split_length){
           $chunks[] = substr($string, $pos, $split_length);
         }
         return $chunks;
     }
   }

(first post on php.net documentation for str_split)

Just add that to your file before you go and use this on versions of php below 5.

Nice post

Cody

 

[snareklutz]

So why not just do

$password = md5(sometext.$password);

 

[Joe]

Before anyone goes and tries this, the function str_split() requires php5.

http://us2.php.net/str_split

if (!function_exists('str_split')){
     function str_split($string, $split_length=1){

         if ($split_length < 1){
           return false;
         }

         for ($pos=0, $chunks = array(); $pos < strlen($string); $pos+=$split_length){
           $chunks[] = substr($string, $pos, $split_length);
         }
         return $chunks;
     }
   }

(first post on php.net documentation for str_split)

Just add that to your file before you go and use this on versions of php below 5.

Nice post

Cody

cool, thanks for mentioning that!

 

[.:Mammoth261:.]

Nice work, ill check it out, maybe use it soon for some things i will be working on :p

 

[skrilla]

very nice.. thank you

 

[iNod]

So why not just do

$password = md5(sometext.$password);

$password = md5("sometext".$password;

SALT is random characters. You can do that if you want.

iNod.

 

[theparrot]

Well, adding SALT's to your passwords are basically an added security type of thi

if you dont already have a SALT, then combines them and returns a 64-bit virtually unbreakable password (ofc anything can be broken, thats why I said "virtually" :P)

a salt does not make a password more unbreakable, it reduces the damage when one is broken as you can't reuse the same attack vectors on multi passwords at the same time.

Also, md5 should no longer be used.

 

[maples]

that's very useful. thank you

 

[Immersion]

thanks, i might try that. Now i jsut need to work out all about functions.

 

[axilant]

a salt does not make a password more unbreakable, it reduces the damage when one is broken as you can't reuse the same attack vectors on multi passwords at the same time.

Also, md5 should no longer be used.

Agreed. md5 can be cracked. Yep. It can be.

I suggest you all start using sha1 or sha2
http://php.net/sha1