Well I guess a salt should be something not related to the actual data being hashed. I’m not sure how exactly hmac works, but I guess when you use the data being hashed as secret key, it could be exploitable if an attacker knows indeed that you’re doing so.
So if the password is “12345” and the secret key is also “12345”, you can imagine it doesn’t fit to the bolded part of the text below I’ve copied from Wikipedia.
So I guess if you’re indeed doing this, you could also do sha1(sha1($data)). The final result is probably the same strength.
From a real security point of view, the idea of using the data as secret key is insecure. It’s like doing hash($data + $publicSalt). The key should be secret. It ain’t secret anymore when the attacker already knows that the hashed data is the key. He could just do custom_hmac(‘sha1’, $generatedKey, $generatedKey) in a brute-force script. Let’s think about this:
I guess the real benefit of HMAC against hashed data or hashed data + salt is that the key is indeed secret. If you just change the security concept, security will suffer.
Also an attacker that got root-access to read your static key from the server, could also take a look into your php-scripts and check out how you generate the hashes and then create a custom brute-force script. So that argument doesn’t really convince me.
But to be honest, if you don’t write a banking-script or something your may use your idea. Still I have the feeling every crypto-expert would hit you in the face for that
Just store a randomly generated salt value in the db per password. Append the salt value to user’s password when calculating the hash value. Store the hash value in the db. Do not store plain text password anywhere. Regenerate the salt value when the password needs to be changed. Do not roll your own hashing and/or encryption functions.
Larry Ullman’s Yii book talks about setting the secret in the config file.
// application-level parameters that can be accessed
// using Yii::app()->params['paramName']
// this is used in contact page
Not sure if this helps. I also realise this is an old thread.