I have two salts, each user has a unique salt that is stored with the user info in the database. The second salt is one that is specific to the website. Both are needed to hash the passwords.
Problem is I don't know where I should keep my website salt. Right now it resides in the PHP method that runs the hashing algorithm. Should I keep it in a file outside the /var/www/ and have PHP open and read the file? I don't want to store it in the database because that would defeat the purpose of having two salts should my database be compromised.
Any suggestions?
One option not mentioned yet? An environmental variable served by the server. You can do it in httpd.conf, or in a .htaccess. Since Apache doesn't serve .htaccess files, you don't need to worry about hiding it as much...
SetEnv WEBSITE_SALT 232lhsdfjaweufha32i4fv4239tauvkjn
That way, all you need to do in your application is $salt = getenv('WEBSITE_SALT');. The benefit here is that it's transparent to the application...
Yes, keep it in a PHP config file somewhere, preferably in a folder above the directory that is the web root.
Storing the website salt in a file that can never be served is your best option here. There's no point in encrypting the salt, or keeping it with the others as you pointed out. Just make sure the file you store it in cannot be served if requested (outside the root www works) and ensure it has proper permissions set.
Just stick it in a variable inside a .php file. For a minor bit of added security-by-obscurity, you can store it in (say) base64-encoded format, and name the variable something completely innocuous, like
$this_is_not_the_salt_you_are_looking_for = base64_decode(.... encoded salt string here ...);
For an extra-extra bit of security, place the .php file somewhere outside the webroot, so that if for some reason the webserver's config goes belly up and starts serving up raw PHP code, the file containing the salt info isn't directly accessible.
Most people will store a constant salt in a configuration file. This is fine, but the whole point of using a SALT is to ensure your data is not readable by an outside source.
I've seen a lot of people actually store the salt in database in the accounts field. Here's the twist though. It was uniquely generated upon account creation so every user has a unique salt.
It's not about the salt though--it's about how you're encrypting the data.
sha1($password.md5(md5($password.md5($salt))))
Even with the salt you would likely never be able to crack this. So never worry about storing it in your database if you decide to go unique per account. Just ensure that your encryption process is strong!
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 三岁会撩人 的文章《Where is the best place to store the password salt》','https://www.manongdao.com/article-678623.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}