Password hash using various methods

Question

I was looking for the best way to store the users' passwords, but I'm not really into security, so I've found a lot of information about encryption and things like that, using Google.

I don't like using snippets that I can get in blogs or sites on the Internet, I'd rather create my own solution, so I ended up developing two functions: One to create a hash and another one to check the "hashed" password.

I don't know if I'm doing right, or if I'm just increasing my problems, so take a look at the functions below.

// Creates a simple password's hash
function hashPassword( $password = false )
{
  // Checks if the password has more than 6 characters
  if( strlen( $password ) < 6 )
  {
    // Kills the script
    exit('Password is too short.');
   }

   // Split the 4 first characters of the password
   $salt = substr( $password, 0, 4 );

   // Calculate the md5 hash of the salt
   $salt = md5( $salt );

   // Get the rest of the password
   $password =  substr( $password, 3, strlen( $password ) );

   // Calculate the md5 hash of the password
   $password = sha1( $salt . $password );

   // Crypt the password
   $password = crypt( $password );

   return $password;
}

That's the password that I'm going to store. Now, check out the way I'm gonna check if the password's correct.

// Checks if a hashed password match a user input password
function checkHashedPassword( $password = false, $hashedPassword = false )
{
// Checks if the password has more than 6 characters
if( strlen( $password ) < 6 )
{
    // Kills the script
    exit('Password is too short.');
}

// Split the 4 first characters of the password
$salt = substr( $password, 0, 4 );

// Calculate the md5 hash of the salt
$salt = md5( $salt );

// Get the rest of the password
$password =  substr( $password, 3, strlen( $password ) );

// Calculate the md5 hash of the password
$password = sha1( $salt . $password );

// Checks the password and hash
if( crypt( $password, $hashedPassword ) == $hashedPassword ) 
{
    // Returns true
    return true;
}

// Returns false by default
return false;
}

As you can notice, I'm going to create a variable storing the password, and the I can check if it's ok, like the code below:

$pass = hashPassword( $_POST['password'] );

if( !checkHashedPassword( $_POST['password'], $pass ) ) 
{
    exit('Password incorrect!');
}

So, will it work securely?

I'm no expert in security either but I think that's more or less what people use in forums and such sites. — Tivie, Oct 18 '12 at 21:34
One thing though. Are you comfortable with using OpenID? It's a different animal, that's for sure, but it's very secure. — Tivie, Oct 18 '12 at 21:37
See this question: http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php — Madara's Ghost, Oct 18 '12 at 21:48
Also see Openwall's [PHP password hashing framework](http://www.openwall.com/phpass/) (PHPass). Its portable and hardened against a number of common attacks on user passwords. The guy who wrote the framework (SolarDesigner) is the same guy who wrote [John The Ripper](http://www.openwall.com/john/) and sits as a judge in the [Password Hashing Competition](http://password-hashing.net/). So he knows a thing or two about attacks on passwords. — jww, Oct 12 '14 at 00:45

Baba · Answer 1 · 2012-10-19T01:30:59.583

3

If you are looking for a general and simple way Adding simple password hashing API is still in RFC for php but have very good implementation by ircmaxwell that you can use

Example

  $hash = password_hash($password, PASSWORD_BCRYPT);

Verification

if (password_verify($password, $hash)) {
    /* Valid */
} else {
    /* Invalid */
}

Download Here

edited Oct 19 '12 at 01:30

answered Oct 18 '12 at 21:39

Baba

94,024
28
166
217

score 1 · Answer 2 · answered Oct 18 '12 at 21:35

1

You can use:

$pass = <query password code>;

if( $pass != hashPassword( $_POST['password'] ); ) 
{
    exit('Password incorrect!');
}

answered Oct 18 '12 at 21:35

Udan

5,429
2
28
34

1

This cannot work with a correctly salted password. To verify the password, you need a separate function which has two parameters, the password to check, and the salt of the already hashed password to compare with. This salt is usually included in the already hashed password-hash, so one calls `verifyPassword($password, $alreadyHashedPassword)`. – martinstoeckli Oct 19 '12 at 07:10

score 1 · Accepted Answer · answered Oct 18 '12 at 21:50

The Password Storage Cheat Sheet from OWASP provides good guidelines for password storage and hashing.

The key points are to use a strong salt, and iterate the hash (64,000 times or more currently).

A good and widely used PHP library for password hasing is the Portable PHP Password Hashing Framework by OpenWall, I recommend checking that out.

Password hash using various methods

3 Answers3