I've been reading around a few different guides/tutorials on this topic and found the following:
I know that what I've read there is a very secure way to store a users password. I've made an attempt to combined the 2 slightly while instead of using mt_rand
like in the first example, I've generated my own dynamic salt.
Here is my code:
<?php
$static_salt = ""; // Removed value for obvious reasons
$dynamic_salt_choice = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
$dynamic_salt_length = 40;
$dynamic_salt = "";
$dynamic_salt_max = strlen($dynamic_salt_choice)-1;
for ($i = 0; $i < $dynamic_salt_length; $i++) {
$dynamic_salt .= substr($dynamic_salt_choice, rand(0, $dynamic_salt_max), 1);
}
$password_length = length($password);
$split_at = $password_length / 2;
$password_array = str_split($password, $split_at);
$password = $password_array[0] . $static_salt . $password_array[1];
$password_hash = hash_hmac('sha512', $password, $dynamic_salt);
?>
According to me this is fetching a static salt, generating a dynamic salt, we're then splitting the given password in 2 parts in an array and adding the static salt in between the two password sections.
We are then hashing the password with sha12
along with the dynamic salt.
My question to you is, is this more secure or just as secure as the 2 methods I've linked to? Or am I making it more vulnerable by mixing things up this way?
I also take it storing $password_hash
in a cookie along side a username cookie for automatic login is a big no-no? If so, how do websites remember you through cookies in a secure manner?