This question already has answers here:
Secure hash and salt for PHP passwords
(14 answers)
Closed 5 years ago.
In storing passwords in php mysql, can i assume the passwords to be safe if i were to run md5 algorithm again and again and with combination of text replacement and rotation?
No, MD5 is not secure to use to create a password verifier.
With PHP use password_hash and password_verify, the pair are secure and easy to use.
When saving a password verifier just using a hash function is not sufficient and just adding a salt does little to improve the security. Instead use a function such as PBKDF2, Rfc2898DeriveBytes, Argon2, password_hash, Bcrypt or similar functions with about a 100ms duration. Make the attacker spend substantial of time finding passwords by brute force.
Related
This question already has answers here:
Secure hash and salt for PHP passwords
(14 answers)
Closed 8 years ago.
I was wondering if
password_hash("custompassgoeshere", PASSWORD_BCRYPT)
Is secure enough in order to store passwords to the DB or if I should add some more SALT in it (I was thinking something like user's username/email/date of birth/etc).
Thanks!
Bcrypt would be secure enough on its own., ensure that you increase the iterations/cost to something high enough (but not too slow for your server). You may need to test a few values to test for acceptable hashing times.
You do not need to salt your passwords, Bcrypt generates unique salts for each hash automatically and stores it with the hash.
See: How can bcrypt have built-in salts?
This question already has answers here:
Secure hash and salt for PHP passwords
(14 answers)
Closed 8 years ago.
Is there an advantage as to where password hash and salt occurs, in PHP vs in a database? It seems having the process occur inside of a database would be the optimal solution; since the web server and the database would only have to exchange the password and not the salt.
It's okay to store the salt in the database. It's an advantage to do so, because you want to use a different random salt per user.
I recommend doing the hashing in the application.
The reason is that if you do the hashing in an SQL expression, and you use query logging on the database server, you might be storing plaintext samples of the user passwords in the query log.
If you're using something better than a simple hash + salt, like PBKDF2, you're going to have to involve PHP at this point AFAIK. So in terms of best location, for me, the best location is in the code because that's where you can do the "best" method of password hashing.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
PHP 2-way encryption: I need to store passwords that can be retrieved
Lately I'm a little confused reading several tutorials on storing passwords in databases. Most sites say that the best is using a hash and a salt to store the passwords or also store the passwords in two parts or add a general key for all passwords.
I saw several methods with crypt, sha, sha256, md5 and blowfish.
My question is, using crypt function with blowfish is safe or there are better/safer and more effective methods for storing passwords?
Well, apart from the obvious, not storing, hashing etc...
I'd say don't use the regular {MD5, SHA1, SHA256, SHA512, SHA-3, etc} if you can, even if you can salt them. Reasons for this can be found at:
http://codahale.com/how-to-safely-store-a-password
Simply put: use bcrypt
You might want to read up on this topic on
Password hashing, salt and storage of hashed values
http://dustwell.com/how-to-handle-passwords-bcrypt.html
https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Secure hash and salt for PHP passwords
I want to hash the passwords of the users.
I will use a salt.
In the past, I have used md5 but clearly, this is a very outdated way of hashing passwords now.
Is sha256 or sha512 better for effectiveness, not speed.
Thanks.
Define "effectiveness". Obviously, sha512 is more secure, slower and less disk space-efficient than sha256.
for hashing using a salt I recommend the HMAC method (implemented in PHP’s hash_hmac())
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Secure hash and salt for PHP passwords
Is this a secure way to encrypt the passwords to store in a mysql database:
md5(sha1($password))
Thanks.
What you are doing here is hashing, not encrypting.
Hashing has the purpose of not storing the password itself in the database, so that if the database is stolen the attacker will not gain knowledge of all user passwords.
Hashing should be used in conjunction with salting the hashes, because otherwise it will be relatively easy for an attacker who has gained access to the database to crack the weak passwords stored there.
Also, hashing the same input twice (as your example does with md5 and sha1) does not offer any significant benefit.
Generate random salt for each password and compute password digest with HMAC-SHA1. The salt is used as key and password is used as message. The salt and digest are stored into database.