[ What is SALT and how do i use it? ]
I have been searching around and I am still unsure of what a "salt" is and how to use/implement it. Sorry for the noobish question, I am self learning php.
I am definitely not an expert, but the really short answer is that "salting" a line of text means to stick a few extra characters on the end of it. You could salt "salt" with "abcdefg" to get "saltabcdefg". This might be useful if "salt" happens to be a password that you'd like to make more difficult to guess.
Typically, the password+salt are transformed ('hashed') by some difficult-to-reverse process into a completely different string. This transformed string is then stored as the password, together with the plaintext of the salt, and the original plain text of the password proper is tossed away. When you want to check that someone has input the correct password, you combine whatever they've typed in with the salt that's listed in the password file and then hash the result. If the result matches the password hash you have on record, then you know that they've put in the right password.
Implementing a salt can be as easy as picking a string to serve as the salt and then making sure you keep track of it. But, you could vary the salt with each password, and then you'll have to have a way of keeping track of password+salt combinations as well as generating the variations. Of course, you'll probably also want to hash the password rather than saving the password's plain text, and so you'll have to pick a hash function. At this point, the problem has proceeded from salting proper to implementing a password security scheme.
For PHP, you might want to look at how some of the frameworks have implemented this. Two quick links, for CakePHP and Zend, respectively:
When I first asked this question, many years ago, I was asked in response, "What does salt do for food?" The answer is that it adds variety to food. The idea behind cryptographic salt is that it's something you add to the end or beginning of a string in order that two passwords that are identical don't hash to the same cryptographic value.
Consider this - if I had a password that was really common, like 'hello123', and then it hashed to the exact same cryptographic hash as all other 'hello123' passwords, couldn't I just look in the list of hashed passwords to see who else had the same cryptographic hash, and use my password on their account?
Well its in the comments, thanks ceejayoz
A salt is something you add to a string before you hash it, it adds another layer of security to passwords and the like.
A salt is a (short) string that is added to the string you want to encrypt or hash. An Example:
<?php $password = 'abcdefg'; $salt = 'anythingyouwant_'; $pw_hash = md5($salt.$password); ?>
This adds security to the hash, as it's unlikely that "anythingyouwant_abcdefg" is already stored in a hash-database ( http://en.wikipedia.org/wiki/Rainbow_tables )
For some reason. Salts are usually hard for people new to cryptography to grasp. Once it clicks though, the concept is extremely simple. Have a look at this article. I think it explains the concept better than most.
Let us spice up things a little by combining several algorithms for hashing, making a double hashing algorithm:
$password = "myPassword"; $salt = sha1(md5($password)).'k32duem01vZsQ2lB8g0s'; $password = md5($password.$salt);
As you can see, we first hashed the password using double hashing algorithm (md5 and sha1) and concatenating with a key created salt value. After that, we combined real password with generated salt value and hashed it again with md5. The advantage is that this way alt value is random and it changes, making it nearly impossible to break. I mean, if you can wait for a million years and have a super computer on your hands, try to break it.