This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Best way to encode passwords in PHP
I've been reading a lot of things about password and email hashing and I am not quiet sure I figure out what is the best method. It's clear that md5 and SHA are outdated and pretty useless but when it comes to all the crypt's, mcrypt_encrypt, hash(), etc.:
which one is an effective way of secure PASSWORDS AND EMAILS nowadays?;(maybe A BEST way?)
can I use the same method for both?;
Really appreciated if someone could give me some advise.
Have a look at this blog. It as good information about password hashing.
http://blog.ircmaxell.com/search/label/Password-Hashing
The author also has a password hashing library, which only uses quality, vetted algorithms.
That note aside, you should use bcrypt, or PBKDF2 for password hashing.
As for email encryption, PGP/GPG is your best bet for cross compatible/supported email encryption.
You should read this question Secure hash and salt for PHP passwords and this one How do you use bcrypt for hashing passwords in PHP?.
Both questions have more than 170 upvotes.
Related
This question already has answers here:
Secure hash and salt for PHP passwords
(14 answers)
Closed 5 years ago.
In storing passwords in php mysql, can i assume the passwords to be safe if i were to run md5 algorithm again and again and with combination of text replacement and rotation?
No, MD5 is not secure to use to create a password verifier.
With PHP use password_hash and password_verify, the pair are secure and easy to use.
When saving a password verifier just using a hash function is not sufficient and just adding a salt does little to improve the security. Instead use a function such as PBKDF2, Rfc2898DeriveBytes, Argon2, password_hash, Bcrypt or similar functions with about a 100ms duration. Make the attacker spend substantial of time finding passwords by brute force.
This question already has answers here:
How do you use bcrypt for hashing passwords in PHP? [duplicate]
(11 answers)
I'm using MD5 to hash passwords. When should I jump to the next thing? SHA-3? [closed]
(1 answer)
Closed 8 years ago.
For a long time as a php developer, i have been using md5 hashing algorithm to secure the password data and to generate unique hashing algorithms.
However from last few months i hear rumors that md5 is not considered secure anymore, i like to know why ?
what are the password authentication alternatives i.e SHA1, password_hash() in PHP 5.5 ? And i like to know why these alternatives are considered better choice now a days, because to me most of these are again just another hashing algorithms ...
Because many websites and research studies have proved that md5() can be reversed and you should stop using that !
In simple words....
You could very well make use of password_hash() in PHP 5.5 and also the crypt() those are the better ones considered so far.
A simple illustration of password_hash() taken from PHP Manual
<?php
$options = [
'cost' => 12,
];
echo password_hash("rasmuslerdorf", PASSWORD_BCRYPT, $options)."\n";
?>
A simple illustration of crypt making using of the BLOWFISH algorithm
if (CRYPT_BLOWFISH == 1) {
echo 'Blowfish: ' . crypt('rasmuslerdorf', '$2a$07$usesomesillystringforsalt$') . "\n";
}
EDIT :
Why you should not use md5() ?
Hashing algorithms such as MD5, SHA1 and SHA256 are designed to be
very fast and efficient. With modern techniques and computer
equipment, it has become trivial to "brute force" the output of these
algorithms, in order to determine the original input. Because of how
quickly a modern computer can "reverse" these hashing algorithms, many
security professionals strongly suggest against their use for password
hashing.
Why go for password_hash() on PHP 5.5 ?
When hashing passwords, the two most important considerations are the
computational expense, and the salt. The more computationally
expensive the hashing algorithm, the longer it will take to brute
force its output. PHP 5.5 provides a native password hashing API which is the password_hash() that
safely handles both hashing and verifying passwords in a secure
manner.
Source
It's fast. An attacker could break a hashed password in just a few hours (maybe minutes) if they managed to get a copy of your database - the faster an algorithm, the more attempts per second = more insecure.
SHA-256/SHA-512 are better choices as they take longer to process, therefore they could add years to the time it could take to break a hash. Not sure about the hackers out there, but I don't have the time or patience to try that.
This question already has answers here:
Secure hash and salt for PHP passwords
(14 answers)
Closed 8 years ago.
Would the following be a safe way of storing a user's password in a database?
When registering:
$salt=hash("sha512", rand());
$password=hash("sha512", $_POST["password"].$salt);
insert_values_into_db;
When logging in:
$given_password=$_POST["password"];
$salt=get_salt_from_db;
$correct_password=get_password_from_db;
if(hash("sha512", $given_password.$salt) === $correct_password){
//Password is correct
}else{
//Password is incorrect
}
Are there any blatantly obvious errors with this?
Best solution: If you have PHP version 5.5 or above, use the password_hash function. If not, check out the password_compat library by ircmaxwell.
All these hashes are optimized for speed and made to go easy on the processor. (MD5, SHA512, etc.) Because of this cracking them is just as easy. I would either re-hash a couple of more times or just use the crypt method: http://php.net/manual/en/function.crypt.php.
Read more on password hashing in the documentation of PHP: http://php.net/manual/en/faq.passwords.php
The most common way of storing passwords in a database people use is either
md5 the password like : md5($password)
OR
crypt($password)
You could also add double md5 or double crypt for password to be really secure
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
PHP 2-way encryption: I need to store passwords that can be retrieved
Lately I'm a little confused reading several tutorials on storing passwords in databases. Most sites say that the best is using a hash and a salt to store the passwords or also store the passwords in two parts or add a general key for all passwords.
I saw several methods with crypt, sha, sha256, md5 and blowfish.
My question is, using crypt function with blowfish is safe or there are better/safer and more effective methods for storing passwords?
Well, apart from the obvious, not storing, hashing etc...
I'd say don't use the regular {MD5, SHA1, SHA256, SHA512, SHA-3, etc} if you can, even if you can salt them. Reasons for this can be found at:
http://codahale.com/how-to-safely-store-a-password
Simply put: use bcrypt
You might want to read up on this topic on
Password hashing, salt and storage of hashed values
http://dustwell.com/how-to-handle-passwords-bcrypt.html
https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Secure hash and salt for PHP passwords
I want to hash the passwords of the users.
I will use a salt.
In the past, I have used md5 but clearly, this is a very outdated way of hashing passwords now.
Is sha256 or sha512 better for effectiveness, not speed.
Thanks.
Define "effectiveness". Obviously, sha512 is more secure, slower and less disk space-efficient than sha256.
for hashing using a salt I recommend the HMAC method (implemented in PHP’s hash_hmac())