salt and hash generation question

Question

Hi,

I would just like your feedback on something.

Basically I have a value called $uniqueID which is = ID + First Letter of First Name + First Letter of Last Name + The String "CAN"

I have then turned $uniqueID into a salt value as followed $salt = sha1($uniqueID);

I have then turned the user's password into a hash value using md5().

I have then stored these two values seperatley in a database using the correct data types.

I was just wondering if this would be a secure way to secure two types of user validation ? The password validation would be done by the user and the $uniqueID would be done via a script.

I won't be offering a service to remind you of your password you will have to create a brand new one.

I have also implmented some secuirty for the sessions.

Answer 1

I'd recommend using sha1 on both the $uniqueID and the password field.

Also, make sure to salt your password field.

Also, it is worth noting that one way hashes can arrive at the same value from different inputs. As Gumbo points out, if you are planning on using $uniqueID as a unique ID, you will run into problems. (So don't ;-)

If you want to use uniqueID as a session key, then you will want to at least check for collision before using it. See Zend.Session, CodeIgniter->session and Kohona::Session

Answer 2

In general, a salt is a random value that is unique for each datum it is used for. That means each user should have its own random and unique salt that is used when hashing its password. And don’t use any user information to generate a salt.

You could, for example, use rand and uniqid to generate a random and unique salt for each user:

$salt = uniqid(rand(), true);

This salt would be both unique and random.