1

I initially used MD5 when i first started out coding to hash user passwords.

 $password1 = md5($password);

After reading countless of pages with different opinions, what shall i be using? crypt,SHA1,SHA256... here is an example of how i revised code by using SHA1 and static salting.

$salt = '324912343223942833294328432392';
$passwordarray = str_split($password,2);
$password1 = sha1($passwordarray[0].$salt.$passwordarray[1]);
//insert $password1 into database

when logging in and checking password..

$salt = '324912343223942833294328432392';

    $passwordarray = str_split($password,2);
    $dbpasswordarray = str_split($dbpasswordarray,2);

    $password = sha1($passwordarray[0].$salt.$passwordarray[1]);
    $dbpassword = sha1($dbpasswordarray[0].$salt.$dbpasswordarray[1]);

               if ($username==$dbusername&&md5($password3)==$dbpassword)
               {

What shall i do to improve/change this code and make it more secure? .. can i have an example.. Shall i do dynamic salting and add a unique salt to each user in the database?

user892134
  • 3,078
  • 16
  • 62
  • 128
  • @Amber: Except that the accepted answer for that question is wrong so it's probably not a good idea to link to it. – Mark Byers Jun 30 '12 at 04:18

4 Answers4

3

You should use bcrypt.

The problem with MD5, SHA-1, etc is that they were designed to be fast to compute. This makes brute force and dictionary attacks easy because you can test millions of passwords per second.

Bcrypt solves this by being deliberately slow. It has a work factor that can be adjusted so that as hardware improves you can make the calculation more difficult.

Related

Community
  • 1
  • 1
Mark Byers
  • 811,555
  • 193
  • 1,581
  • 1,452
  • Is the second link answer a fully working example? i hate copying and pasting without understanding. Is there a step by step tutorial on bcrypt? – user892134 Jun 30 '12 at 04:18
0

It's partly a matter of how much effort you want to put into securing your logins. In the last couple years I've been moving toward dynamic salting / each user having their own salt value. This keeps hackers from using rainbow tables if they get ahold of your database. I also use sha256 hashing.

curtisdf
  • 4,130
  • 4
  • 33
  • 42
0

Maybe you could follow the example of existing libraries or frameworks.

For example, the Django Framework explains:

How Django stores passwords

The password attribute of a User object is a string in this format:

algorithm$hash

That's a storage algorithm, and hash, separated by the dollar-sign character. The algorithm is one of a number of one way hashing or password storage algorithms Django can use; see below. The hash is the result of the one- way function.

By default, Django uses the PBKDF2 algorithm with a SHA256 hash, a password stretching mechanism recommended by NIST. This should be sufficient for most users: it's quite secure, requiring massive amounts of computing time to break.

They also provide a helpful link on recommended practices when storing password: http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf

Source: https://docs.djangoproject.com/en/dev/topics/auth/

Juan Enrique Muñoz Zolotoochin
  • 3,429
  • 2
  • 29
  • 37
0

I'd look into a library to handle password hashing / salting / checking etc. A simple easy one to implement is the Portable PHP password hashing framework. This is the same library used by wordpress and many other php applications. It automatically checks for the most secure php hashing algorithm available. Since php distributions support different algorithms. This way you are getting the maximum possible security without sacrificing portability.

I really like it because it saves me lots of headaches. I'd rather lean on people who are smarter than me for security encryption stuff.

Jordan Shute
  • 169
  • 3