1

Possible Duplicate:
hash() vs. crypt() function comparison

Recently I researched how to properly do password hashing in PHP. One of the better options is to use crypt(). But why wouldn't we use hash()?

The main reason I am asking this is because I made a password hashing function that wraps crypt() and I am wondering what to name my function. Right now it's named getHash(). But I feel funny using that name since I am wrapping crypt(). If I use getCrypt() that doesn't sound great either because it's meant to be a HASHING function. What should I name my hashing function that wraps crypt()?

Community
  • 1
  • 1
Ryan
  • 5,883
  • 13
  • 56
  • 93

2 Answers2

3

Hashing, as used by hash, is meant to verify data (like files), normally as a checksum sort of thing. It is fast, which is why we don't use it for secure data.

Crypt (when used correctly) uses a slow hashing algorithm. The reason a slow hashing algorithm is important is because it makes it difficult for someone to brute-force the hash. If the slow hashing algorithm takes even 0.1 milliseconds longer than the fast hashing algorithm, then trying 10000 passwords will take a second, and of course, brute-forcing would require millions of tries.

Waleed Khan
  • 11,426
  • 6
  • 39
  • 70
0

I think what we are eventually getting at here is that some crypts are designed to be slower, while hash() is relatively fast in comparison. The slower the algorithm, the slower hackers can brute force your passwords. Sadly, slower is better... to a point :)

Jared Drake
  • 982
  • 4
  • 12
  • A hash is also more desirable, as an encryption is easily reversible provided the key. The only time you ever want an encryption over a hash is if you have to retrieve password later (and why would you need to?). – Gary Aug 18 '12 at 04:59
  • @Gary Where did encryption come from? Nobody's been discussing encryption. – Waleed Khan Aug 18 '12 at 05:01