From 89e02f7ce7a12c718334e39092e8af8c09ab55da Mon Sep 17 00:00:00 2001
From: William Turrell <william@wturrell.co.uk>
Date: Thu, 6 Oct 2016 10:59:36 +0100
Subject: [PATCH 1/2] Password Hashing - explain salts

- what they are
- why they're needed
- how password_hash/verify handle it all for you.
---
 _posts/10-03-01-Password-Hashing.md | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/_posts/10-03-01-Password-Hashing.md b/_posts/10-03-01-Password-Hashing.md
index ee70a65..5711b54 100644
--- a/_posts/10-03-01-Password-Hashing.md
+++ b/_posts/10-03-01-Password-Hashing.md
@@ -12,8 +12,13 @@ It is important that you properly [_hash_][3] passwords before storing them. Pas
 way function performed against the user's password. This produces a fixed-length string that cannot be feasibly
 reversed. This means you can compare a hash against another to determine if they both came from the same source string,
 but you cannot determine the original string. If passwords are not hashed and your database is accessed by an
-unauthorized third-party, all user accounts are now compromised. Some users may (unfortunately) use the same password
-for other services. Therefore, it is important to take security seriously.
+unauthorized third-party, all user accounts are now compromised. 
+
+Passwords should also be individually [_salted_][5] by adding a random string to each password before hashing. This prevents dictionary attacks and the use of 'rainbow tables' (a reverse list of crytographic hashes for common passwords.)
+
+Hashing and salting are vital as often users use the same password for multiple services and password quality can be poor. 
+
+Fortunately, nowadays PHP makes this easy. 
 
 **Hashing passwords with `password_hash`**
 
@@ -37,10 +42,12 @@ if (password_verify('bad-password', $passwordHash)) {
 }
 {% endhighlight %}  
 
+password_hash() takes care of password salting for you. The salt is stored, along with the algorithm and "cost", as part of the hash.  password_verify() extracts this to determine how to check the password, so you don't need a separate database field to store your salts. 
 
 * [Learn about `password_hash()`] [1]
 * [`password_compat` for PHP >= 5.3.7 && < 5.5] [2]
 * [Learn about hashing in regards to cryptography] [3]
+* [Learn about salts] [5]
 * [PHP `password_hash()` RFC] [4]
 
 
@@ -48,3 +55,4 @@ if (password_verify('bad-password', $passwordHash)) {
 [2]: https://github.com/ircmaxell/password_compat
 [3]: http://en.wikipedia.org/wiki/Cryptographic_hash_function
 [4]: https://wiki.php.net/rfc/password_hash
+[5]: https://en.wikipedia.org/wiki/Salt_(cryptography)

From 646aae60a9f3b619c12624a573780fcf6f5e1c7d Mon Sep 17 00:00:00 2001
From: William Turrell <william@wturrell.co.uk>
Date: Sat, 8 Oct 2016 12:18:17 +0100
Subject: [PATCH 2/2] Conform to style guide

Backticks for functions, double (") not single (') quotes
---
 _posts/10-03-01-Password-Hashing.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/_posts/10-03-01-Password-Hashing.md b/_posts/10-03-01-Password-Hashing.md
index 5711b54..1e4019d 100644
--- a/_posts/10-03-01-Password-Hashing.md
+++ b/_posts/10-03-01-Password-Hashing.md
@@ -14,7 +14,7 @@ reversed. This means you can compare a hash against another to determine if they
 but you cannot determine the original string. If passwords are not hashed and your database is accessed by an
 unauthorized third-party, all user accounts are now compromised. 
 
-Passwords should also be individually [_salted_][5] by adding a random string to each password before hashing. This prevents dictionary attacks and the use of 'rainbow tables' (a reverse list of crytographic hashes for common passwords.)
+Passwords should also be individually [_salted_][5] by adding a random string to each password before hashing. This prevents dictionary attacks and the use of "rainbow tables" (a reverse list of crytographic hashes for common passwords.)
 
 Hashing and salting are vital as often users use the same password for multiple services and password quality can be poor. 
 
@@ -42,7 +42,7 @@ if (password_verify('bad-password', $passwordHash)) {
 }
 {% endhighlight %}  
 
-password_hash() takes care of password salting for you. The salt is stored, along with the algorithm and "cost", as part of the hash.  password_verify() extracts this to determine how to check the password, so you don't need a separate database field to store your salts. 
+`password_hash()` takes care of password salting for you. The salt is stored, along with the algorithm and "cost", as part of the hash.  `password_verify()` extracts this to determine how to check the password, so you don't need a separate database field to store your salts. 
 
 * [Learn about `password_hash()`] [1]
 * [`password_compat` for PHP >= 5.3.7 && < 5.5] [2]