mysql - Using blowfish in PHP for storing passwords -

mysql - Using blowfish in PHP for storing passwords -

this whole cryptology thing lot swallow, it's interesting , i've been reading lately.

my question using blowfish hash passwords storage. know salt needed, i'm not sure it. have questions.

many tutorials read people seemingly randomly come 1 "oidsjf03" , utilize salts. mash keyboard or what?

i've read lot says each password should have unique hash. generate separate salt each password store. i'd have store somewhere. where, however? if store entry in user's row, if database compromised not generate rainbow tables salt?

would right in saying isn't viable, they'd need generate rainbow table every password, , blowfish creating each hash take awhile, wouldn't practical?

why having unique 1 each user important? you're using blowfish , database compromised, , salt gets captured well. hacker create rainbow table test passwords, amount of rounds on hash, may take 0.1 seconds per password, instance. if want create rainbow table 1 billion entries, that's 100 1000000 seconds create (or around 3 years).

if used unique salts , had 1000 passwords, they'd have create 1000 rainbow tables, increasing amount of time 3000 years. why? amount of time goes per password stored?

how generate salt hash? php's uniqid() function plenty or should doing fancy stuff?

do need create total out class et al, or can create simple function?

lastly, i've heard phpass mentioned lot security , how users should utilize instead of potentially making errors themselves. recommended practice?

1- many tutorials read people seemingly randomly come 1 "oidsjf03" , utilize salts. mash keyboard or what?

using same salt bad idea. period.

2- i've read lot says each password should have unique hash. generate separate salt each password store. i'd have store somewhere. where, however? if store entry in user's row, if database compromised not generate rainbow tables salt?

the salt part of hash. rainbow tables work when have multiple users same salt. unique, right? storing hash fine. same goes #3.

4- how generate salt hash? php's uniqid() function plenty or should doing fancy stuff?

as of php 5.5, password hashing functions have been built straight php. in meantime, see aforementioned link , in comments link github project forwards compatible these functions , available php >= 5.3.7.

6- lastly, i've heard phpass mentioned lot security , how users should utilize instead of potentially making errors themselves. recommended practice?

the built-in php functions improve because kept up-to-date should security vulnerability become known. utilize them instead. phpass alternative.

php mysql hash passwords blowfish