Close Menu



Why should you NOT Use your own `salt` while Hashing a Variable

• Published on February 25, 2017

Before I enter hashing I would like to Explain

what is hashing.

Hashing of a Variable is nothing but masking the original data into another format which is not understandable for a normal user. However a machine can be used for verifying a password or a secret key with the hashed out value.
Example of types of data which are most hashed the most are

  1. Password's,
  2. Credit Card Data.

Well many people may start asking isn't that similar to encryption. The answer would be Partially Yes. There is only one similarity in both the two processes encryption and hashing. Which is the original data getting masked out
Data--------->[Encryption/Hashing]----------> Masked Data

Difference between Hashing and Encryption
Encryption :-

In encryption all the attributes are completely supplied by the user or predefined the user and encryptions is a different procedure altogether.
Below are the attributes in encryption are different compared to Hashing.

  1. Algorithm
  2. key or SecurityHash (Open SSL uses securityhash)
  3. Mode
  4. Bitrate
  5. Variable (data that needs to be masked)
  6. Encoding (Databases do not save symbols and therefore outputs of encryption are converted to encoded format's)

Hashing:-  Hashing we use a different set of Attributes

  1. Salt
  2. Algorithim
  3. Algorithm Options (the higher the integer value the stronger the hash .Default is 10)
  4. Variable (data that needs to be masked)

Now that we know the difference between hashing and encryption lets get into the types of Hashing

  1. Server Defined hashing.
  2. User defined hashing.

In server defined hashing if using a PHP-APACHE webserver the webserver automatically hashes the variable without any fuss. only the method needs to be defined

echo password_hash('password', PASSWORD_BCRYPT);//password hashing by defining the algorithm type .More algorithms can be found here// echo"<br>";
echo password_hash('password',PASSWORD_DEFAULT);//password hashing by default set by the server//
The output looks like the below

  1. hashing by defining the algorithm

2.hashing by default set by the server


3.Method of defining the attributes for the hashing

$password_string= `password`;// Suplied Variable//
 $options = array(
  'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM),
  'cost' => 12,
 $password_hash = password_hash($password_string, PASSWORD_BCRYPT, $options);

Now for the above the output looks like this
Now comparing the above image and output any Hacker would easily determine the below because of the "." being present which differentiates the salt and the hashed password
"BE6DlYKR1PVVZnyAEmSO" as the encrypted password
"$2y$ as the algorithm BCRYPT
"12$" as the cost
"W/s0Pvaw2zgIWu/nq2pNdOghIMl1f7m4" as the
whereas in other forms of hashing like

  1. hashing by defining the algorithm or
  2. hashing by default set by the server

we cannot determine the salt because of the"." not being present which make it much tougher to be cracked.
Hence Hashing by defining salt is Not Recommended