This whole cryptology thing is a lot to swallow, but it's really interesting and I've been reading about it lately.
My question is about using blowfish to hash your passwords for storage. I know a salt is needed, but I'm not exactly sure what to do for it. I have some questions.
Many tutorials I read people just seemingly randomly come up with one like "oidsjf03" and use it for all their salts. Do they just mash their keyboard or what?
I've also read a lot that says each password should have a unique hash. So I generate a separate salt for each password I store. Then I'd have to store that somewhere. Where, however? If I just store it as an entry in the user's row, if the database was compromised could they not just generate rainbow tables with that salt?
Would I be correct in saying this isn't viable, as they'd need to generate a rainbow table for every password, and with blowfish creating each hash would take awhile, so this wouldn't be practical?
Why is having a unique one for each user so important? Say you're using blowfish and your database is compromised, and your salt gets captured as well. The hacker could create a rainbow table to test your passwords, but with a good amount of rounds on the hash, it may take 0.1 seconds per password, for instance. If they want to create a rainbow table with 1 billion entries, that's 100 million seconds to create it (or around 3 years).
If you used unique salts and had say 1000 passwords, they'd have to create 1000 rainbow tables, increasing the amount of time to 3000 years. Is this why? The amount of time goes up per password stored?
How do you generate this salt for the hash? Is PHP's uniqid() function enough or should I be doing some fancy stuff?
Do I really need to create a full out class et al, or can I create a simple function?
Lastly, I've heard phpass mentioned a lot for its security and how users should just use that instead of potentially making errors themselves. Is this really the recommended practice?
1- Many tutorials I read people just seemingly randomly come up with one like "oidsjf03" and use it for all their salts. Do they just mash their keyboard or what?
Using the same salt for everything is a bad idea. Period.
2- I've also read a lot that says each password should have a unique hash. So I generate a separate salt for each password I store. Then I'd have to store that somewhere. Where, however? If I just store it as an entry in the user's row, if the database was compromised could they not just generate rainbow tables with that salt?
The salt is part of the hash. Rainbow tables only work when you have multiple users with the same salt. But they are all unique, right? So storing it with the hash is fine. Same goes for #3.
4- How do you generate this salt for the hash? Is PHP's
uniqid()function enough or should I be doing some fancy stuff?
As of PHP 5.5, password hashing functions have been built directly into PHP. In the meantime, see the aforementioned link and in the comments is a link to a Github project that is forward compatible with these functions and available for PHP >= 5.3.7.
6- Lastly, I've heard phpass mentioned a lot for its security and how users should just use that instead of potentially making errors themselves. Is this really the recommended practice?
The built-in PHP functions are better because they will always be kept up-to-date should any security vulnerability become known. I would use them instead. However phpass is a very good alternative.