This question already has answers here:
Secure hash and salt for PHP passwords
(14 answers)
Closed 9 years ago.
In an MVC style web app, what's the best/most secure way of setting up a hashing method that's available globally?
I've just been doing this within my core controller that is extended by the rest of my scaffolding:
class Core{
protected function salt($string=null){
$salt = 'dsjflk32osdjshewy8327rtewyrkjfdhdsgnmbcxvsgfyew3287';
$this->data = md5($salt.$string);
return $this->data;
}
}
Is this good practice, or should I be doing something different?
It depends on what you want to hash. If its just to create a unique identifier for larger/grouped datasets, then you could just use MD5. Using salt isnt realy needed then, but it cant harm you either.
If you want to use it for passwords, dont use a hashing function that is optimized for speed at all, because its not realy secure. For passwords I recommend Bcrypt and this question has a lot of information on why you should use it.
If you need the hashing function to disquise parameters, so they cannot be altered, an md5 hash would be sufficient aswell. Since you need to store the link between the hash and the actual value somewhere, they can try to bruteforce the md5 to change the parameter, but they still can only enter values you allowed and have in your link table.
Look at openwalls phpass
http://www.openwall.com/phpass/
Its used in a lot of open source php projects
This is an alternate solution,
$this->data = crypt($salt.$string);
It's not a good idea to use constant salt in hash. It's wise to use different salt per each hash. For this you can:
Generate random salt and save it next to the hash in db
(better) Password is always connected with some entity in database so you can pick some attribute that won't be changed (its ID or creation date) as a varying part of salt.
Use SHA512 for encryption, MD5 is not secure at all.
Method i use to get it encrypted:
$salt= hash("SHA512", $myconstantvar);
$peper= hash("SHA512", $username);
$pass= hash("SHA512", mypass);
enc_pass= hash("SHA512", $salt.$pass.$peper);
Related
I was wondering if there was a method to change the way my site hashed passwords. My coder friend wasn't the smartest when he didn't add salts to the sha512 hash. So now it is very insecure and I wish to change that. I was thinking about making some complicated code to rehash when someone who has the old hash type logs in and it would set the variable to true after adding a salt. Or I could take the currently hashed passwords and somehow fuse a salt into them. I would rather not reset my user database if I don't have to. Any idea would help. I am also quite the php noob so please explain if you include code.
It is Hashed using this method.
<?php hash('sha512',"passwordhere") ?>
Alter your user table to include a 'salt' column, default value of 'NULL'.
Alter your login code to check if the user has a salt:
If yes, compare the salted hashes and log in
If no:
Compare the unsalted hashes.
Generate a random salt.
Generate your salty hash.
Store your new salt and hash in the database.
Continue the login process.
Of course, you will also need to update your code for registration, password change/recovery, etc.
Alternatively, instead of a 'salt' column you could put in a 'hash_ver' column and use that to determine which validation method to use and when to update the hash. That way if you wish to use a hashing method that packs the salt in with the hash like bcrypt you don't get stuck trying to figure out what type of hash you're dealing with.
Every password-storing-system must have the option to switch to a better hash algorithm, your problem is not a one-time migration problem. In the answer to this question i tried to point out the necessary steps.
Note: Fast hash algorithms like SHA-* are not appropriate to hash passwords, instead switch directly to a slow key-derivation function like BCrypt. The new PHP function password_hash() will make hashing easy (it will generate a safe salt for you), and is "future proof", also it will make switching in future possible.
$old_hash = hash('sha512',"passwordhere");
$salt = ''; // Generate salt here
$new_hash = hash('sha512', $old_hash.$salt) ;
I'm using CodeIgniter, and am creating a section of the site where users need to be logged in. I have been reading about storing passwords as MD5 Hashes and encrypted strings with salts, but I don't see anything about decryption.
Is it efficient/safe to encrypt password attempts the same way they were encrypted when they were stored to check for validation?
Is this the recommended way of storing passwords in a php application or using the CodeIgniter Framework?
There are already auth libraries "ready to go" (out of box one might say), here is a link to another question that is similar to this one
http://www.stackoverflow.com/questions/346980/how-should-i-choose-an-authentication-library-for-codeigniter
note I like Tank Auth with "groups".
CodeIgniter uses a library called "Tank Auth": http://konyukhov.com/soft/tank_auth/
It includes the class "PasswordHash.php": http://bit.ly/1gahwtT
Example code:
require "PasswordHash.php";
define("phpass_hash_portable",TRUE);
define("phpass_hash_strength",8);
$hasher = new PasswordHash(phpass_hash_strength,phpass_hash_portable);
if ($hasher->CheckPassword($password_to_check, $original_encoded_password)) {
echo "password correct";
} else {
echo "password incorrect";
}
the two comments on your answers shows links to good answers, to add more.if you're just into hashing,You can also use crypt. note crypt is different from mcrypt fooled me once. An example of crypt can be found on laravel3 Hash class. or you can also use php pass,a library that utilizes OpenBSD-style Blowfish-based bcrypt.
Add thanks to cryptic, ircmaxell also has a hashing library check it out here
Do not use md5 or base64. Sha1 is also broken. Its better to use bcrypt.
You can use this library with codeigniter to verify the bcrypt passwords
The passwords are stored in hashed format because in most cases it is not needed to restore them to the original string. The md5 function generates a unique 32 letter long string that can be verified by just comparing two hashes. To answer your question:
Yes this is a standard way of saving passwords.
MD5 is no longer secured enough so most people are starting to use the php hash
function with algorithm 'sha512' and salt of course.
this function may be use full to u..
$this->load->library('encrypt');
$this->encrypt->sha1($yaourpassword);
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
How to best store user information and user login and password
How do you use bcrypt for hashing passwords in PHP?
I am used to using the md5() which I know is now outdated and I hear that sha1() is also insecure. So what is exactly the best way to store and retrieve passwords in a database these days with security in mind? I'd be very happy if you can provide a small example.
Thank you!
I would recommend looking at bcrypt, since it can help against brute-force attacks. http://codahale.com/how-to-safely-store-a-password/
You can find example Here
You should really use bcrypt to hash your passwords, it was designed especially for hashing password.
Hash functions for passwords should be slow (need some computing time). Most hash algorithms like SHA-1 and MD5 or even SHA-256 are designed to be fast, but this makes it an easy target for brute force attacks. An off-the-shelf GPU is able to calculate about 8 Giga MD5 hashes per second!
Don't be afraid to use bcrypt! It is not for high security sites only, and using it can be as easy, as using an md5 hash. It's recommended to use a well established library like phpass, and if you want to understand how it can be implemented, you can read this article, where i tried to explain the most important points.
UPDATE:
Current PHP versions offers the functions password_hash() and password_verify() to handle passwords. Use them like this:
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_DEFAULT);
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
We use crypt with Blowfish:
// Hash our password
$hashed = crypt($plain_text_password, '$2a$08$' . substr(hash('whirlpool', microtime()), rand(0, 105), 22));
// Validate a password
if (crypt($plain_text_password, $hashed) == $hashed)) {
// Valid password
}
The salt prefix $2a$ (read the docs) is what instructs crypt to use Blowfish. And assuming the implementation of crypt(3) in the underlying OS supports it, you get it "for free."
md5\sha1 + unique salt = best way
Don't be paranoid.
You could look up alot of encryption codes or mix them for example like this:
sha1(md5(sha1($pw)));
I find that unnecessary so what I use is SHA512 hash("sha512",$pw);
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
I'm trying to find the best way to secure user passwords in a mysql database (hashing/encryption wise). I was which method was the most secure and hardest to crack. I am not very experience in the realm of encryption/hashing etc. Currently I am using a very unsecure method of doing this sort of encryption:
$encrypted_password = strrev(base64_encode($password));
I know that isn't the best way to do it, but like I said, I'm new. Could anyone point my in the right direction?
Thanks.
Use bcrypt:
Bcrypt is an adaptive password hashing algorithm which uses the Blowfish keying schedule, not a symmetric encryption algorithm.
Read the accepted answer here:
openssl_digest vs hash vs hash_hmac? Difference between SALT & HMAC?
How To Safely Store A Password
Edit: You should take a look at hash_hmac(). I think it's a better approach than just salting.
You can use sha1 and a salt:
$salt = "some random string";
$encrypted_password = sha1($salt.$password);
You add the salt to make it harder to use rainbow tables in case somebody manages to get the encrypted password list.
You could use any one-way hashing method (I just like sha1), but it's always better to salt it before hashing.
use hash_hmac to store encrypted passwords
If you need clear text password, use des/aes/3des
Here is an article from Php.net that talks about "Safe Password Hashing".
From the article:
When hashing passwords, the two most important considerations are the computational expense, and the salt. The more computationally expensive the hashing algorithm, the longer it will take to brute force its output.
There are two functions that are bundled with PHP that can perform hashing using a specified algorithm.
The first hashing function is crypt(), which natively supports several hashing algorithms. When using this function, you are guaranteed that the algorithm you select is available, as PHP contains native implementations of each supported algorithm, in case one or more are not supported by your system.
The second hashing function is hash(), which supports many more algorithms and variants than crypt(), but does not support some algorithms that crypt() does. The Hash extension is bundled with PHP, but can be disabled during compile-time, so it is not guaranteed to be available, while crypt() is, being in the PHP core.
The suggested algorithm to use when hashing passwords is Blowfish, as it is significantly more computationally expensive than MD5 or SHA1, while still being scalable.
You should look at php's hash() function: http://se2.php.net/manual/en/function.hash.php
With this you can use lots of different hash algorithms, I usually go with sha256, and add a salt to it before hashing it.
Passwords should be hashed, not encrypted. That is, you should not be able to decrpyt the password. Instead, you should compare hashes.
User sets password $password = 'hX4)1z'
You get hash of password and store to DB:
$pw = hash_hmac('sha512', 'salt' . $password, $_SERVER['site_key']);
mysql_query('INSERT INTO passwords (pw) VALUES ('$pw');
Customer comes back later. They put in their password, and you compare it:
mysql_query('SELECT pw FROM passwords WHERE user_id = ?'); //$pw = fetch
if ($pw == hash_hmac('sha512', 'salt' . $_REQUEST['password'], $_SERVER['site_key']) {
echo "Logged in";
}
I suggest using SHA2 with a salt to store your password.
To create a SHA2 hash, use this:
$hash = hash("sha512", $password.$salt);
A salt contains some extra characters to add to your password before hashing to prevent rainbow tables (databases of passwords and it's hashes). You can create one using a unique user info (like a user_id) or just create a random one and store it somewhere. Just make sure the salt is long enough.
normally it is better not to encrypt a password, but to hash it.
the difference is that encryption is encoding a string, leaving the possibility to decode it.
hashing is "one-way" - once you "hash" something, you cannot de-hash it. some strings can be hashed into the same result, but good hashing reduces the chance of a collision.
It is best to avoid storing actual passwords, since people tend to use a single common password to multiple websites. this means that you can access their accounts on other websites (or if you are leaked, the hacker can).
it's common to hash the password string together with "salt". This is some random string that it difficult to guess, like &%P)##M##)+!#~!#4320`2##!$0 or something of that sort. Common hash methods are md5/sha1 (or other sha method).
so you would have:
$password = '....';
$enc_pass = sha1( '%^$sd%MDdF)#I#)3asd3223##4*^&(*&##' . $password );
$enc_pass will be stored in the database, and after a login form, the result will be hashed (as above) and compared to the value in the database.
PS: don't forget to have your database column of a size that would contain the entire password ;)
I'd just like to add that storing a hash of the passwords does not automatically make the authentication process secure. What you also should employ is a decent password policy. The reason is, even if you have the most sophisticated hash algorithm of all time, and a user uses the password "password" or "1234", then the algorithm is useless, because the password can be simply guessed.
Don't forget to make a restriction on password strength.
Because password strength is a weakest part of the whole thing.
As long as your users do use weak passwords, no salt nor extra-secure hashing routine would be of any help.
The best hashing algorithm you can use is salted MD5 hashing where you insert some random characters inside the MD5 hashed string for that particular object. But you must remember the positions where you had inserted the random characters. This is required so that you can decrypt the hashing to obtain the original object or string.
$random="abcd";
$hashed=md5(your_string);
$salted_hash=$hashed.$random;
This is the simplest example where I have just concatenated the hashed and salt. but you can insert the salt string somewhere in the middle.
I'm developing a web service where users must login. I will store user data in an SQL database and input/output via PHP. But I don't want to store it openly. How do I encrypt the passwords in PHP so only those who knows the password can unlock it?
I know services like phpBB uses some sort of hiding/encryption on stored passwords.
You need to salt and hash the password, using an appropriately secure algorithm.
PHP's mhash has appropriate hashing functions
A full example here on SO
The easiest way to get your password storage scheme secure is by using a standard library.
Because security tends to be a lot more complicated and with more invisible screw up possibilities than most programmers could tackle alone, using a standard library is almost always easiest and most secure (if not the only) available option.
See this answer for more info
You probably want to hash the password - not encrypt it. Check out SHA-1. Hashing means that you cannot retrieve the original data as you can with encryption. Instead what you do is hash the users input and compare it to the hash in the database to see if they've got the right password. Doing this increases security as if your database was ever compromised - a bunch of hashes are useless.
Well, you shouldn't encrypt them with MD5 (which is not really secured, most hackers have conversion tables).
Hence, you can hash it with SHA1 (which is usually used).
If you want more security, you can add more salt which is a key you can add like this (just an example, usually used) :
salt+sha1(salt+pass)
This combination can be used with many language.
Hash passwords in SHA-1 (sha1 php inbuilt function) with several recursions of salting (same code in the answers above, only loop through several times). This should be sufficient protection, so even if the intruders somehow get their hands on the hashes, they shouldn't be able to crack them...
Save an MD5 hash and to make it more secure, add a salt.
There is the possibility to hash passwords (preferably with a salt):
$salt = random_string($length = 5);
$hash = $salt . sha1($salt . $password);
Or store encrypted (only if your MySQL connection is SSL secured):
INSERT INTO `user` (`user`,`pass`) VALUES("username",ENCRYPT("password","secretkey"))