I have a super old version of php (please don't tell me to upgrade for it will never be an option in our case) and i need to store passwords. I had seen posts like this and many more that says, use crypt() of php. I am just confuse with one thing:
My question is which is proper way of storing password; Use ONE SAME SALT for all passwords of different users or DIFFERENT RANDOMLY GENERATED SALT for each password of users?
My question arise because in my experience, i haven't seen a database/table with salt in each row, some have a one salt in a config file and it is being used for salting all of the passwords. Also, i think storing different salt in each user simply means more bytes to store.
Thanks guys ♥
You want to use a different salt. The idea being is that a salt will impact the resulting hash.
When "hacking" passwords that have been exposed, malicious people will use "rainbow tables". These are essentially a reverse look up that finds strings that hash to the given value. Rainbow tables can also be generated for common passwords.
If you use one salt, a hacker will only have to generate one rainbow table. If you use a new salt for each password, the hacker has to generate rainbow tables for each password they wish to compromise.
It is relevant to upgrade your PHP for modern hashing librarys (like bcrypt). However, there are back-ports for older versions of PHP which I seriously recommend. Hashing functions for passwords are designed to be computationally expensive so that a password takes time to verify. The idea being that you cannot verify 1000 different password possibilities in any reasonably short amount of time.