This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Secure hash and salt for PHP passwords
I want to hash the passwords of the users.
I will use a salt.
In the past, I have used md5 but clearly, this is a very outdated way of hashing passwords now.
Is sha256 or sha512 better for effectiveness, not speed.
Thanks.
Define "effectiveness". Obviously, sha512 is more secure, slower and less disk space-efficient than sha256.
for hashing using a salt I recommend the HMAC method (implemented in PHP’s hash_hmac())
Related
This question already has answers here:
Secure hash and salt for PHP passwords
(14 answers)
Closed 5 years ago.
In storing passwords in php mysql, can i assume the passwords to be safe if i were to run md5 algorithm again and again and with combination of text replacement and rotation?
No, MD5 is not secure to use to create a password verifier.
With PHP use password_hash and password_verify, the pair are secure and easy to use.
When saving a password verifier just using a hash function is not sufficient and just adding a salt does little to improve the security. Instead use a function such as PBKDF2, Rfc2898DeriveBytes, Argon2, password_hash, Bcrypt or similar functions with about a 100ms duration. Make the attacker spend substantial of time finding passwords by brute force.
This question already has answers here:
Secure hash and salt for PHP passwords
(14 answers)
Closed 8 years ago.
I was wondering if
password_hash("custompassgoeshere", PASSWORD_BCRYPT)
Is secure enough in order to store passwords to the DB or if I should add some more SALT in it (I was thinking something like user's username/email/date of birth/etc).
Thanks!
Bcrypt would be secure enough on its own., ensure that you increase the iterations/cost to something high enough (but not too slow for your server). You may need to test a few values to test for acceptable hashing times.
You do not need to salt your passwords, Bcrypt generates unique salts for each hash automatically and stores it with the hash.
See: How can bcrypt have built-in salts?
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
PHP 2-way encryption: I need to store passwords that can be retrieved
Lately I'm a little confused reading several tutorials on storing passwords in databases. Most sites say that the best is using a hash and a salt to store the passwords or also store the passwords in two parts or add a general key for all passwords.
I saw several methods with crypt, sha, sha256, md5 and blowfish.
My question is, using crypt function with blowfish is safe or there are better/safer and more effective methods for storing passwords?
Well, apart from the obvious, not storing, hashing etc...
I'd say don't use the regular {MD5, SHA1, SHA256, SHA512, SHA-3, etc} if you can, even if you can salt them. Reasons for this can be found at:
http://codahale.com/how-to-safely-store-a-password
Simply put: use bcrypt
You might want to read up on this topic on
Password hashing, salt and storage of hashed values
http://dustwell.com/how-to-handle-passwords-bcrypt.html
https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Secure hash and salt for PHP passwords
I use the following code to hash and store passwords:
$salt=uniqid(mt_rand(), false);
hash('sha512',$pass+$salt);
Is it secure in our time? If no, what solution is better?
Is crypt() good for this purpose or it's too old?
To make your hashing harder to brute-force, increase the computation time. sha512 is a cryptographic hashing function and it is optimized for speed. You're only hashing a password once when authenticating a user so don't be afraid to take your time.
Since an attacker will be computing millions of hashes, why not make your hash function take 0.1s per hash? You won't notice any significant speed degradation, but any brute-force attacks will be indefeasible.
That being said, instead of going out and writing your own hash function to do this:
hash = sha512(password)
for i in range(10000):
hash = sha512(hash) + salt
return hash
Use tested solutions like phpass, which uses bcrypt.
Hashing with a salt is good. However, you want to apply the hashing algorithm multiple times (a few hundred is a good ballpark).
"Stretching" the hash function in this way does not make for a stronger hash, but rather slows down brute force attacks.
http://en.wikipedia.org/wiki/Key_stretching#Hash_based_key_stretching
It depends on your use of this, it's not going to be sufficient for storing credit card details or bank details (not that you would hash them!) but it will be more than enough IMO for passwords for a website, especially given you are using a salt and it's the 512 hash.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Best way to encode passwords in PHP
I've been reading a lot of things about password and email hashing and I am not quiet sure I figure out what is the best method. It's clear that md5 and SHA are outdated and pretty useless but when it comes to all the crypt's, mcrypt_encrypt, hash(), etc.:
which one is an effective way of secure PASSWORDS AND EMAILS nowadays?;(maybe A BEST way?)
can I use the same method for both?;
Really appreciated if someone could give me some advise.
Have a look at this blog. It as good information about password hashing.
http://blog.ircmaxell.com/search/label/Password-Hashing
The author also has a password hashing library, which only uses quality, vetted algorithms.
That note aside, you should use bcrypt, or PBKDF2 for password hashing.
As for email encryption, PGP/GPG is your best bet for cross compatible/supported email encryption.
You should read this question Secure hash and salt for PHP passwords and this one How do you use bcrypt for hashing passwords in PHP?.
Both questions have more than 170 upvotes.