views:

76

answers:

2

Hi,

I would just like your feedback on something.

Basically I have a value called $uniqueID which is = ID + First Letter of First Name + First Letter of Last Name + The String "CAN"

I have then turned $uniqueID into a salt value as followed $salt = sha1($uniqueID);

I have then turned the user's password into a hash value using md5().

I have then stored these two values seperatley in a database using the correct data types.

I was just wondering if this would be a secure way to secure two types of user validation ? The password validation would be done by the user and the $uniqueID would be done via a script.

I won't be offering a service to remind you of your password you will have to create a brand new one.

I have also implmented some secuirty for the sessions.

A: 

I'd recommend using sha1 on both the $uniqueID and the password field.

Also, make sure to salt your password field.

Also, it is worth noting that one way hashes can arrive at the same value from different inputs. As Gumbo points out, if you are planning on using $uniqueID as a unique ID, you will run into problems. (So don't ;-)

If you want to use uniqueID as a session key, then you will want to at least check for collision before using it. See Zend.Session, CodeIgniter->session and Kohona::Session

Sean Vieira
how would I salt the password field ?
Oliver Bayes-Shelton
The same way you are salting the `ID` field ... a salt is an additional input that is added to the input string before it is hashed. (It can be fixed, generated, or both). So you could use `sha1("myS4lt" . $password . "in3cr4ckEr!")` I'd just use a fixed salt, since you would invalidate passwords if you allowed users to change their names and you salted passwords with user initials.
Sean Vieira
So would I be , better just using sha1 for the password and leaving $uniqueID as a normal string ? I consider putting more security into the sessions to validate if a user is the real user?
Oliver Bayes-Shelton
It depends on what you want to use `$uniqueID` for. If you are planning on using it for your session key then you probably still want to hash it too -- just double check and make sure you don't have collisions. I'd check out some mature session engines; for example Zend.Session and CodeIgniter and Kohona's sessions. I'll add links in my answer.
Sean Vieira
+1  A: 

In general, a salt is a random value that is unique for each datum it is used for. That means each user should have its own random and unique salt that is used when hashing its password. And don’t use any user information to generate a salt.

You could, for example, use rand and uniqid to generate a random and unique salt for each user:

$salt = uniqid(rand(), true);

This salt would be both unique and random.

Gumbo
No, just pseudo random with weak entropy.
Kai Sellgren