I have been doing some research on how to go about using a random salt per user's password. There are a few things that I am still unsure about. It is easy enough to store a random hash using something as the following:

$password = 'MySuperSectretPassword!';

$salt = substr(sha1(md5(uniqid(rand(), true))), 0, 24);
$CryptedPassword = crypt($password, $salt);

The part that I am confused about is how to keep track of what salts go with each user. Is it safe to store the salt in the database along with the user's password? (I would think not)

** If I am going about my salt generation and/or concept in the wrong way, please let me know.

I found this article on using crypt with sha512, but I just don't understand why you would want to use that since you can easily tell by looking at the password what they are doing to salt the password: "$6$rounds=5000$4d2c68c2ef979$". However, I do understand that they are using uniqid() which makes it pretty tough, but it's just the thought.

Please excuse my ignorance on the subject; I guess that's why i'm asking for a better explanation here :)

Thanks in advance!

5 Years
Discussion Span
Last Post by dschuett
This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.