I see many way for hash password in php: crypt(), md5(), sha1()
What is the best and popular way to hash password in php?
Asked
Active
Viewed 170 times
0
-
As to my knowledge both sha1 and md5 have been broken and should no longer be used for that purpose. – Kai Mattern Sep 08 '12 at 11:17
-
Best != most popular. And what's popular shouldn't matter in matters of security, the general public gets these things wrong (or at least suboptimal) more often than not. – Sep 08 '12 at 11:22
1 Answers
0
I'd recommend using a 'slow' hash function with a parameter which controls the amount of work. This means you limit the brute-force required to crack your passwords independently of the algorithm itself. An example is bcrypt.
Do not try to create your own hash functions. Always rely on the tried and tested algorithms from professionals. You are almost guaranteed to introduce a vulnerability if you go it alone. Don't use MD5 as it's relatively trivial to crack with modern GPUs.
This answer discusses bcrypt, its parameters and how to use it to hash passwords in PHP:
How do you use bcrypt for hashing passwords in PHP?
This is quite a funny diatribe about why fast hashes - e.g. MD5 and SHA1 - are bad news for password security:
http://codahale.com/how-to-safely-store-a-password/
In terms of popularity, I wouldn't pay it any attention. The security of your customers' data is more important than anything else.
