4

I've been reading all kind of forums and tutorials about this password_hash() that seems to be good for password protection.

But now i want to know if it's better to make an own salt and hash for the function like 

$options = [
    'cost' => 11,
    'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM),
];
password_hash($password, PASSWORD_BCRYPT, $options);

Or just let the function do it:

password_hash($password, PASSWORD_DEFAULT);

There seems to be a lot of discussion about whether or not it's good or bad to use your own salt.

Can somebody explain why its bad (or not) to use your own salt?

Refilon
  • 3,334
  • 1
  • 27
  • 51
  • 4
    From the [docs](http://php.net/manual/en/function.password-hash.php), "Caution - It is strongly recommended that you do not generate your own salt for this function. It will create a secure salt automatically for you if you do not specify one." There are many comments in the docs about how cryptographically safe the auto-generated salt is and that creating your own could result in problems. *It is much more secure* to allow the function to create the salt. – Jay Blanchard Jan 06 '15 at 14:36

2 Answers2

3

Because if you don't create your own salt, It will create a secure salt automatically for you.

From the documentation :

Caution

It is strongly recommended that you do not generate your own salt for this function. It will create a secure salt automatically for you if you do not specify one.

So, for answer your question, if you don't know more about salt or other... Just don't use your own salt, this function is strong enough !

Clément Andraud
  • 9,103
  • 25
  • 80
  • 158
  • Thanks very much. I also read about that, but wanted to be 100% sure before using it in a website i'm making. I'll mark your answer as correct when i can. – Refilon Jan 06 '15 at 14:42
1

Salts are just a protection against a rainbow table attack.
It won't make one hash more difficult to break but instead the larger whole.
If you use a different salt for every hash, the attacker will need to make a rainbow table for every password.
Which is unpractical in means of work and time.
Generating a salt with a pseudorandom-rng will do the job of protecting the larger whole of your passwords.
https://crypto.stackexchange.com/questions/1776/can-you-help-me-understand-what-a-cryptographic-salt-is

As the function already generates a secure salt it is not recommended to generate your own with a rng that is practically worse.
Just let the function generate a strong salt and it will be fine and cost less work too as you do not have to create salts yourself. Correct way of creating salted hash password

Quote from previous link:

It is recommended that you do not pass your own salt, instead let the function create a cryptographically safe salt from the random source of the operating system.

The salt will be included in the resulting hash-value, so you don't have to store it separately. Just create a 60 character string field in your database and store the hash-value. The function password_verify() will extract the used salt from the stored hash-value. For more information you can have a look at my tutorial about storing passwords.

Community
  • 1
  • 1
Mramaa
  • 400
  • 2
  • 13