I m working on a site which is (try to be) super secure. I read a lot about password hashing and using salts, but not everything is clear to me. I would like to use sha-256 hash algorithm with salt. I know about salts that all of them should be unique per-user per-password.
I m wondering what if I use the password as salt too? Hash the password with sha256 and then hash it with an other algorithm and use it as salt. In this way I don t have to store the salt in the database. Is this possible? or should I generate a random string?
No, that is still a one-way algorithm.
If another user uses the same password the hash value will be the same as the hash of the pass of the first user. That misses the point that hash values must be different for each user and each pass entry.
I suggest to use the date of registration of a user (for example) as salt. This way for each user and each pass the hashing algorithm will be different (ok, if two users have the same pass AND the same reg. date it will be the same).
Or maybe you can use user id for salt, or some combination between user id and reg.date and user name.
Edit:
Your approach is actualy better than hashing with known algorithm without salt, but worse than hash+propper salt.
What you do is just applying custom hash function of your own. That can t be easyly brute-forced without knowing the custom algorithm, but is vunerable to other attacks.
And I suggest not placing a table with name "SALT" in the db, for if DB is hacked the attacker wii get the passwords AND the salts for them.
