I'm dipping my toe in the water of salted passwords by upgrading an older webapp, and would like to present the rough outline of how my system would work in the hope that those with more experience than I might tell me if I'm going in the right direction;
In general terms:
***** SET/CHANGE PASSWORD *****
$salt = md5(time());
$salted_password = hash('sha256', $salt . $_POST['password']); // Hash the passwordInsert $salt and $salted_password into the database user table
***** LOGIN *****
Pull salt from database
Prepend salt to submitted password, generate SHA256 hash to compare against password from dbAttempt to pull user record from database using username submitted and password hash just generated:
"SELECT * FROM usertable WHERE user = '...' and password = '...' LIMIT 1" (username and password values are escaped)If row count is less than one, present error message and close page.
Otherwise, set cookies, user is logged in.
Am I on the right track here? From what I've read, a sha256 hash with a unique salt of 32 characters would be pretty robust, but I'd like to have someone else look at this to tell me if there's some glaring, or even subtle, logical error here.
Your assistance is appreciated.
Rob