1

Possible Duplicate:
Secure hash and salt for PHP passwords

I try to create a function that hashes my password with salt using haval160,4 hashing algorithm. But I do not understand it's security. I'm supplying the code below:

Just let me know how can I improve the security system. 

<?php    
defined("SALT")? NULL : define("SALT", "abcdefthijklmnopqursuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ*/\|[]{}()~!@#$%^&*_+:.,;1234567890");

function createSalt(){
        static $random_string;
        for($i=0;$i<64;$i++){
            $random_string .= substr(str_shuffle(SALT), 0,25);
        }
    return $random_string;
}

global $salts;// I want to store the salt value into my database with password
$salt = createSalt();
$salts = $salt;//I keep this cause I will check the matching password without database

function createPassword($input_data,$salt){
    static $hash;
    $cryc = crypt($input_data,$salt);

      $hash = hash("haval160,4",$cryc);

    return $hash;
}

$password = createPassword("123456",$salt);
$stored_password = $password ; // I stored value into a variable cause I want to test without database
//echo $password.'<hr>';

echo "Your Password: ".$password;
echo "<br/> Your SALT VALUE: ".$salt.'<hr>';

function checkPassword($uid,$password,$salts,$stored_password){//this is just a test function... actual function don't require $salts and $stored_password
    $db_uid = 1 ;
    if($uid === $db_uid){

        $db_salt = $salts;

        $db_password = createPassword($password,$db_salt);
        if($db_password == $stored_password){
            echo "Password Match";
        }else{
            echo"password don't match";
        }

    }

}

checkPassword(1,"123456",$salts,$stored_password);

?>
Community
  • 1
  • 1
Mohammad Faisal Islam
  • 497
  • 2
  • 13

1 Answers1

2

You shouldn't design your own cryptographic algorithms.

Use this bcrypt implementation: http://www.openwall.com/phpass/

require '../PasswordHash.php';
$hasher = new PasswordHash($hash_cost_log2=2, $hash_portable=false); // increase the first parameter if you need it to be slower (more secure)

// Create hash
$hash = $hasher->HashPassword($pass);

// Check password
$hasher->CheckPassword($pass, $hash);

This is as secure as you can get, don't bother looking for something 'more secure', and don't try to add salts or anything else to it.

ChocoDeveloper
  • 14,160
  • 26
  • 79
  • 117