Forgive me guys, I am completely new to password security and encrypting...
I am having problems comparing stored passwords that have been encrypted using php's crypt() function (using the blowfish hasing method) to a user's input. One way I have found I can compare the passwords is to store the salt used during encryption, to then encrypt the users input and compare this to the stored password.
Is this a secure way of doing things? Or is there a better (more secure) way of doing it?
Thanks.
PHP's functions to generate a hash, will include the salt in the resulting hash-value. So if you store this hash-value, you already stored the salt. The verifying function can just extract this salt and use it again for verification. This method is safe, the salt is not meant to be secret.
Version 5.5 of PHP will have built-in support for BCrypt, the functions password_hash() and password_verify(). Actually these are just wrappers around the function crypt(), and shall make it easier to use it correctly. It takes care of the generation of a safe random salt, and provides good default values. For PHP version 5.3.7 and later, there exists a compatibility pack.
The easiest way to use this functions will be:
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
Using a unique salt per user is a very good idea.
Storing the unique salt used for the particular user, along with the user's hashed password is a very acceptable approach that probably not used nearly as widely as it should be.
To confuse anyone who may get direct access to the user table of your database, consider storing both the salt and the hash in the same field of your database. Use a character that won't be a part of your salt or your hash, such as a colon (:) to separate them. This makes it easier to tease them apart programmatically at runtime.
Have a look at this article: https://sheriframadan.com/2013/05/password-hashing/
It contains what is currently considered to be the best practice for password encryption. It involves using blowfish encryption with a unique salt for each key. No need to try to store a hash and salt as parseable strings because the salt and the has are all one string that can be passed in as is for comparison operations.
