0

I am making a login system in PHP and I was wondering if this current hash function I have is secure enough.

public function genHash( $user, $pass )
{
    $user = strtoupper($user);
    $staticSalt  = $this->staticSalt;
    $dynamicSalt = hash('SHA512', md5($user . $pass) . sha1($pass) . hash('SHA512', $user . $pass));
    $final       = hash('WHIRLPOOL', $pass . $dynamicSalt . $staticSalt);
    return $final;
}

The static salt is just a bunch of random characters. Anyway, how can I make it more secure?

Nathan Osman
  • 71,149
  • 71
  • 256
  • 361
Tybone Ten
  • 29
  • 1
  • 2
  • 2
    You only need to hash it once, and use something that you can introduce a work factor into, such as bcrypt. – alex Jun 18 '12 at 00:06
  • 3
    Please do not create your own password hashing scheme. Use [bcrypt](http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php). – jmkeyes Jun 18 '12 at 00:12
  • possible duplicate of [Secure hash and salt for PHP passwords](http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords) – Boris Guéry Jun 18 '12 at 00:14
  • 1
    As other people said, just create a salt for each user. You would then store this salt with the hash in the database. You don't need to hash it over and over. When you hash something you can't reverse it anyway. The only way to crack is with rainbow tables and/or brute force. If you create a salt for each person, this will make it hard for anyone to brute force x amount of passwords since they would have to brute force every one from scratch. – Matt Jun 18 '12 at 00:17
  • Do use bcrypt instead of your own scheme, there's a reason why everyone will suggest you the same. Here's a simple class to handle it: https://gist.github.com/1053158 – Mahn Jun 18 '12 at 00:47

1 Answers1

2

You could use different salts for each user and store them in the database but besides that this system looks pretty secure. (Not knowing the details of the server).

EDIT:

Theoretically multihashing a string increases the chance of hash collisions but I haven't found anything reliable that says this is a practical risk.

secretformula
  • 6,414
  • 3
  • 33
  • 56