database - Is PHP password salt really necessary? -
i've asked myself question dozen of times.
is password salt necessary?
i couldn't find literature on subject.
from security perspective, password salts help? if database breached, isn't salt lost if password anyways?
also, brush force perspective, if ban ip's there reason store salts?
yes, should always use salts. fortunately php pretty clever. this article:
if use default options
password_hash()
function php generate random salt each password hashed. the random salt additional layer of security makes exceptionally hard crack passwords. if 2 or more users use same password each of hashes different.
this gets away having generate salt , leaves heavy lifting php. verification piece, password_verify()
, uses random salt placed in hash able test against given password.
from docs password_verify()
:
note
password_hash()
returns algorithm, cost , salt part of returned hash. therefore, information that's needed verify hash included in it. allows verify function verify hash without needing separate storage salt or algorithm information.
Comments
Post a Comment