Understanding Salt security


I have problems understanding the example in the docs about salting.

The following SQL did noct work for me:

`PASSWORD(CONCAT('staticSalt', ?, password_salt))`

Laminas\Authentication\Result::getCode returns: -3 (“Supplied credential is invalid.”)

Only this provides successful logins:


Does this mean I have to save new passwords with ‘staticSalt’ and the value of password_salt? Must I create a new password like so?


The latest recommendation is to forgo salting altogether and use the password_hash function. It includes the salt.


1 Like

I use the CallbackCheckAdapter myself and it works like a charm. For me it was a lot easier to get it working than the CredentialTreatmentAdapter although I do not recall why…

Also, if you are using laminas-form you can use Laminas\Authentication\Validator\Authentication to perform the login.

1 Like

It even says so in the docs:

[…] this adapter [DbTable Credential Treatment Adapter] is not recommended for new applications, and existing applications should consider migrating to using PHP-provided password handling functions such as password_hash() and password_verify(). See CallbackCheckAdapter for more info.

Thank you Tyrsson.

1 Like