php encrypting passwords

Question

Ok i know this topic is brought up a lot in stackoverflow but they don't underline the answers that im looking for.

I use md5 encryption which i told(it was a while ago when i was a noob at php)was safe but if you look it up on good old google its has encrypted and decryption.

so i started to look other places aka here.

ive heard about all the encryption methods so for example SHA-1,MD5,SHA-2,SHA-256,SHA-512 and so on.

A lot of people say use Bcrypt which im looking over, its that vs SHA-512.

and people say use a random salt and save it in your database which is stupid because say a hacker hacks you database and get the salt of all your passwords so it's a small window to change all the salts before the hacker decrypts all the passwords and go on to other places and try them for instance facebook,google and stackoverflow

So my question is it the safest way doing it like this (encrypting (with SHA-512) and using a random salt which will also be stored in a database) or use a fixed salt which is hard wired into my php code which has the same amount of security as the database random salt.

And i have read a lot of posts on this so i think i know what im talking about and i like to impassive that i have read many posts about this about 20 to be precise.

OH almost forgot and is it safer if you encrypt the password multiple times or is about the same as only one encryption?

Thanks for you'r help on a much over written post

Im Sorry for the people im confusing a bit but i didn't get the point of some other peoples posts and i started rambling on about encryption but i was talking about hashing strings.

sorry for that

Answer 1

I use md5 encryption which i told(it was a while ago when i was a noob at php)was safe but if you look it up on good old google its has encrypted and decryption.

First some nitpicking. It is hashing and not encrypting. Hashing is one way. Now to answer your question: don't use md5() to hash passwords. It's not safe anymore. It has been broken for some years now. Not only has there been collisions found (multiple values which result in the same hash), but md5 can be bruteforced really really fast with any decent GPU.

A lot of people say use Bcrypt which im looking over, its that vs SHA-512

You should use bcrypt. It's the best option for password hashing for now.

and people say use a random salt and save it in your database which is stupid

No it is not stupid. Salting passwords prevents an attacker creating a rainbow table for all your passwords. ircmaxell has created a password lib for your convenience which can be found on GitHub.

Some related articles and Stack Overflow posts:

• Are there more modern password hashing methods than bcrypt and scrypt?
• bcrypt FAQ
• Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes
• How do you use bcrypt for hashing passwords in PHP?
• Introducing: PasswordLib
• Properly Salting Passwords, The Case Against Pepper
• OWASP Password Storage Cheat Sheet

Update

When PHP 5.5 will be released it will introduce an easy way to correctly encrypt your passwords. It will use bcrypt by default and automatically add a salt to your passwords. When a better algorithm will become available in the future (e.g. scrypt) it will be able to use that. For more information see the RFC about this new feature. It will also have a feature which detects the used algorithm of the currently hashed passwords and automatically can update them when users login to a newer (/ safer) algorithm when available. For implementation examples check out this GitHub gist.

If you are still on an older version of PHP and cannot update there is a pure PHP implementation of the C API available with support of PHP >= 5.3.7. This compat API uses the exact same implementation as the C API.

Note: it would even be better to use the safer scrypt, however up till now PHP doesn't support it. If it does at some point I will update this answer.

Answer 2

You're confusing hashing with encryption.

Answer 3

I salt with certain characters from the username as well as a string in the php code. Theoretically they need the code and db to figure it out.

Answer 4

A salt is worthwhile as it prevents pre-computation of all possible results. Multiple rounds help slow things down a bit too, but not much if someone happens to gain access to the hashes and have several GPUs at their disposal. To answer the question specifically, if I were you and I could use bcrypt, then I would. If you decide to just SHA-512 hash, use salt and multiple rounds (tens of thousands of rounds).

Also, MD5 and SHA1 hashing, etc. is one-way. The only way to get the original output from the hash is by brute force or sheer luck in guessing it.

Answer 5

June 2015 Update:

As @PeeHa stated, PHP 5.5 includes a built in mechanism and a short tutorial / explanation for implementing a hashed password with PHP. You can check it out Password Hashing.

Password hashing is possible using these methods:

• string password_hash ( string $password , integer $algo [, array $options ] )

password_hash() creates a new password hash using a strong one-way hashing algorithm. password_hash() is compatible with crypt(). Therefore, password hashes created by crypt() can be used with password_hash().

• boolean password_verify ( string $password , string $hash )

Verifies that the given hash matches the given password.

You will probably receive the input from the user so in order to prevent SQL Injection I would recommend using these methods to clear the input:

You can use a prepared statement which allows you to insert user input safely into a n SQL query:

 $stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
 $stmt->bindParam(':name', $name);
 $stmt->bindParam(':value', $value);

 $name = 'one';
 $value = 1;
 $stmt->execute();

More information regarding prepared statement in @Theos answer.

Other alternatives are clearing the user input strings:

• string stripslashes ( string $str )

An example use of stripslashes() is when the PHP directive magic_quotes_gpc is on (it was on by default before PHP 5.4), and you aren't inserting this data into a place (such as a database) that requires escaping. For example, if you're simply outputting data straight from an HTML form. stripslashes API

• string mysqli::escape_string ( string $escapestr )

This function is used to create a legal SQL string that you can use in an SQL statement. The given string is encoded to an escaped SQL string, taking into account the current character set of the connection. real_escape_string API