<div dir="ltr">ok...so you must know the reason why I stored static salt in DB in the first place.....since static salt was a user defined value and I thought that if someone changes the static salt later at some point, the whole application will break down....so to save this thing, I also stored static salt in the DB, so that even if the developer changes the salt at some point (like after some attack) , the application wont fail, it would just start storing new hashed with the new salt and would get the old hashes with the old salt.<div>
So, if everyone will vote-up that static salts must not be stored in the DB, then I will change that. :)</div><div><br></div><div>However, the point you stated that if DB is compromised. that point is perfectly genuine and legit. So, this is definitely a point worth discussing. ^_^</div>
<div><br></div><div><br></div><div>Now the second point. You said that you want to store dynamic salt and static salt, both in one column by keeping first 32 chars of dynamic and 40 chars of overall hash. I do not understand this point. Can you please explain this process in a bit detail.</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Sep 3, 2013 at 7:32 AM, Abbas Naderi <span dir="ltr"><<a href="mailto:abiusx@owasp.org" target="_blank">abiusx@owasp.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">Yes<div class="im"><br><div>
<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">
<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">
<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">
<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">
<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">
<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">
<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">
<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">
<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">
<span style="border-spacing:0px;text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">
<div style="font-weight:normal"><div>______________________________________________________________</div><div><b>Notice:</b><b> </b>This message is <b>digitally signed</b>, its <b>source</b> and <b>integrity</b> are verifiable.</div>
<div>If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at <a href="http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/" target="_blank">Certified E-Mail with Comodo and Thunderbird</a> in <a href="http://AbiusX.com" target="_blank">AbiusX.com</a></div>
</div></div></span></div></span></div></span></div></span></div></span></div></span></div></span></div></span></div></span></div></span>
</div>
<br></div><div><div class="h5"><div><div>On Sep 3, 2013, at 6:12 AM, Shivam Dixit <<a href="mailto:shivamd001@gmail.com" target="_blank">shivamd001@gmail.com</a>> wrote:</div><br><blockquote type="cite"><div dir="ltr">
<div>On Mon, Sep 2, 2013 at 9:47 PM, Abbas Naderi <span dir="ltr"><<a href="mailto:abiusx@owasp.org" target="_blank">abiusx@owasp.org</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">


<div style="word-wrap:break-word">Hi Shivam,<div>Good point.</div><div>We need to move the static salt to the library as a static confidential string object.</div><div>Thanks</div><div>-Abbas<br><div><span style="border-spacing:0px;text-align:-webkit-auto;border-collapse:separate;font-size:medium;font-family:Helvetica">

<div style="word-wrap:break-word"><span style="border-spacing:0px;text-align:-webkit-auto;border-collapse:separate"><div style="word-wrap:break-word">

<span style="border-spacing:0px;text-align:-webkit-auto;border-collapse:separate"><div style="word-wrap:break-word"><span style="border-spacing:0px;text-align:-webkit-auto;border-collapse:separate"><div style="word-wrap:break-word">


<span style="border-spacing:0px;text-align:-webkit-auto;border-collapse:separate"><div style="word-wrap:break-word"><span style="border-spacing:0px;text-align:-webkit-auto;border-collapse:separate"><div style="word-wrap:break-word">


<span style="border-spacing:0px;text-align:-webkit-auto;border-collapse:separate"><div style="word-wrap:break-word"><span style="border-spacing:0px;text-align:-webkit-auto;border-collapse:separate"><div style="word-wrap:break-word">


<span style="border-spacing:0px;text-align:-webkit-auto;border-collapse:separate"><div style="word-wrap:break-word"><br></div></span></div></span></div></span></div></span></div></span></div></span></div></span></div></span></div>


</span></div></div></div></blockquote><div> </div></div></div>Hello Abbas,<div><br></div><div>Shall I file an issue on github for this problem also ?</div><div class="gmail_extra"><br><div dir="ltr"><div style="color:rgb(136,136,136)">


<font color="#999999" face="verdana, sans-serif"><b>Cheers,</b></font></div><div style="color:rgb(136,136,136)"><font color="#999999" face="verdana, sans-serif"><b>Shivam</b></font></div>

</div>
</div></div>
</blockquote></div><br></div></div></div><br>_______________________________________________<br>
OWASP_PHP_Security_Project mailing list<br>
<a href="mailto:OWASP_PHP_Security_Project@lists.owasp.org">OWASP_PHP_Security_Project@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp_php_security_project" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp_php_security_project</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div>Regards,</div><div>Rahul Chaudhary</div><div>Ph - 412-519-9634</div>
</div>