Hacker News new | comments | show | ask | jobs | submit login

"Use bcrypt" is the answer to all those things. Bcrypt includes a salt, which is stored along with the method in the hash string. Hashing is not the same as encryption, so there is no key involved.

If you are using PHP then do this:

    $salt = '$2a$08$' . $random_data;
    $hash = crypt($password, $salt);
$random_data is 22 random letters from A-Za-z0-9.= (16.5 bytes)

(08 is the cost factor - you can change it, but 8 seemed reasonable in my tests.)

If you google bcrypt and php you'll find a very complex and large class for doing this. It's no longer necessary - current versions of PHP have it built in.

Marco Arment (marco.org) has written a nice wrapper for it.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact