1

Possible Duplicate:
How do you use bcrypt for hashing passwords in PHP?

What is the secure way or hash function to store password to Mysql Database? Now I'm using this sha1() function to store my password to DB with following code. Is it really Safe?

<?php
$pass = 123456789;
$pass = sha1($pass);
echo $pass;
?>

Thanks for your advise.

Update

I see salt is something like this. 

$salt = "this is a salt";
$password = 'this is an password';
$hash = sha1($salt.$password);

So, Can i use any number/random number/something to $salt value? After that is it Now SAFE?

Community
  • 1
  • 1
Babu
  • 79
  • 9
  • You can use any random value you want to generate a hash since the salt is what goes attached inside that hash. It is better to use random strings so the passwords are even more secure, having the same salt all over the database is merely the same as not having a salt. – Ignacio Belhot Colistro Nov 04 '12 at 07:21
  • @IgnacioBelhotColistro if random salt is used, how could you check if the password is correct? – Alvin Wong Nov 04 '12 at 07:22
  • @Alvin Wong, you're right, I think, but why is it that the form salt is different all over my database. I believe that you could check if the entered password is correct by just storing the generated salt into the database. – Ignacio Belhot Colistro Nov 04 '12 at 07:27
  • @IgnacioBelhotColistro [some functions accepts the hashed password as hash so that you can check the password](http://hk2.php.net/manual/en/function.crypt.php), but at least not MD5 and SHA1 – Alvin Wong Nov 04 '12 at 07:29
  • Thats right, you can store a random salt in the database, that will do it. – Jean Nov 04 '12 at 07:29
  • I start to think that this should be moved to [security.se] – Alvin Wong Nov 04 '12 at 07:32
  • I have flagged this as a duplicate of the question @citricsquid posted below – Stephen Nov 04 '12 at 07:37
  • @Babu: You ask about security, so I think you might be interesting in understanding the area this is about: http://blog.ircmaxell.com/2012/10/password-hashing-in-php-talk.html - it's a very well made talk that shows what works how with password hashing and what security has to do with it. – hakre Nov 04 '12 at 10:32

3 Answers3

0

The SHA* variants should not be used for password hashing. Use the Blowfish algorithm and the crypt() function.

phpass is a PHP password hashing library that can simplify this for you.

You could also do more research on the topic and write some code to generate your own Bcrypt/Blowfish compatible Salts and use crypt() directly, rather than using the phpass library.

Stephen
  • 18,597
  • 4
  • 32
  • 33
  • Isn't it fine to use `SHA*` (or even MD5) if you append a salt? – Alvin Wong Nov 04 '12 at 07:21
  • Really? I know SHA1 is no longer seen as completely secure, but as far as I'm aware SHA256 and SHA512 are still acceptable to use? especially with a decent salt, but I could be wrong. – RobFos Nov 04 '12 at 09:00
  • SHA algorithms are designed for use in things like SSL and TLS. In this situation you want to be able to calculate a hash very quickly so you don't impede performance. For password hashing you want it to be very slow (compared to algorithms used with SSL etc) to calculate a hash. – Stephen Nov 04 '12 at 12:09
-2

The best (and recommended) way of hashing passwords in PHP is using crypt().

Here's a simple example from the PHP documentation:

$hashed_password = crypt('mypassword');

// now store $hashed_password in the database

Later, to check an entered password (assuming $user_input is the entered password):

// retrieve $hashed_password from the database, then:

if (crypt($user_input, $hashed_password) == $hashed_password) {
   echo "Password verified!";
}

Note that in this example (above) the salt is automatically generated when the password is first hashed. This is dangerous and should be avoided. A pseudo-random salt should be provided and could be generated like so:

$salt = substr(str_replace('+', '.', base64_encode(pack('N4', mt_rand(), mt_rand(), mt_rand(), mt_rand()))), 0, 22);

For a much better explanation, see the Stack Overflow question linked by citricsquid.

Community
  • 1
  • 1
Xenon
  • 3,174
  • 18
  • 37
  • Well @Xenon I'm trying to store my password to DB. So actually what is the code should look like? Can you update it plz? – Babu Nov 04 '12 at 07:26
  • 1
    crypt should not be used without specifying the salt - it will likely default to MD5 hashing, which is not safe to use for passwords – Stephen Nov 04 '12 at 07:28
  • the answer below by @citricsquid should be accepted as the correct answer. This answer is insecure and dangerous. – Stephen Nov 04 '12 at 07:35
  • @Stephen I have updated the answer to include information about salt generation. – Xenon Nov 04 '12 at 07:37
  • @Xenon: If you feel that linked answer answers the question better, please just leave it as comment under the question and suggest the whole question as duplicate. Thank you. – hakre Nov 04 '12 at 10:35
-3

You cannot use a random value for salt, since you wont be able to compare the inputed password and the one stored in database afterwards.

You encryption is mainly ok, but you can go real crazy if you want...

<?php
 $salt = "fF#$GGG$T@#4309g9jERGWrgrew@GH";
 $pepper = "vV@@#V90Ù39009gfjigwjorn)(";
 $pass = "123456789";
 $pass = $salt.$pass.$pepper;
 for ($i=0;$i<40;$i++){
    $pass = hash("sha256", $pass)
 }

 echo $pass;

?>

Jean
  • 762
  • 5
  • 12
  • This is not encryption, but hashing. – Alvin Wong Nov 04 '12 at 07:26
  • 1
    Well, the question is about hashing, not encryption. – Jean Nov 04 '12 at 07:27
  • also completely incorrect. every single password hash you generate should have a new random salt generated for it. the results from crypt() will include all that is needed to compare the password at a later date. – Stephen Nov 04 '12 at 07:30
  • OK, after reading the post mentionned in the above comment, I guess you can go with the real security thing and use bcrypt. http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php – Jean Nov 04 '12 at 17:35