0

Possible Duplicate:
Secure hash and salt for PHP passwords

I have:

$insert_query = 'insert into '.$this->tablename.'(
        name,
        email,
        username,
        password,
        confirmcode
        )
        values
        (
        "' . $this->SanitizeForSQL($formvars['name']) . '",
        "' . $this->SanitizeForSQL($formvars['email']) . '",
        "' . $this->SanitizeForSQL($formvars['username']) . '",
        "' . md5($formvars['password']) . '",
        "' . $confirmcode . '"
        )';

I would like to salt and properly sha256 hash the password instead of using md5, how would I salt it properly? Is it secure enough to save the salt pass in the php file?

Community
  • 1
  • 1
user1841964
  • 101
  • 1
  • 2
  • 8
  • 4
    Hint, search for bcrypt :) – Ja͢ck Dec 13 '12 at 22:42
  • This more general approach may be helpful: http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords – mjk Dec 13 '12 at 22:44
  • Or, search for any phrase containing "salt" and "hash", really. I would down-vote if I had any dailies left. Please *search first*, especially for such basic knowledge questions. –  Dec 13 '12 at 22:47
  • 1
    (*SHA-x, even with salt, is not appropriate for password hashes*. But this would have been turned up time and time again in a *search* ..) –  Dec 13 '12 at 22:49
  • @Jack What is the first number in the PasswordHash function? Looks like this: PasswordHash(8, FALSE) – user1841964 Dec 13 '12 at 23:04
  • 1
    Since this probably be closed, you could check [one my posts](http://stackoverflow.com/questions/10916284/how-to-encrypt-decrypt-data-in-php/10945097#10945097) that deals with both hashing and encryption. – Ja͢ck Dec 13 '12 at 23:10

1 Answers1

0

You can salt it properly by creating a random number and encrypting that. One login system I did a while back actually encrypted the password via MD5, then generated a random number between 100,000 and 999,999 and added that onto the end of the encrypted password. After that, the entire string was encrypted again via MD5. Perhaps a bit overkill really, but it did the job certainly.

You can read more on password salting, hashing, and encryption here.

cereallarceny
  • 4,913
  • 4
  • 39
  • 74
  • It probably decreased the security of the initial MD5... – user1841964 Dec 13 '12 at 22:50
  • Hmm, I'm not sure I agree. Why do you say that? – cereallarceny Dec 13 '12 at 22:51
  • So, the link is relevant (and this should be closed as a duplicate) .. but where does the rest fit in? (Also, hashing is *not* encryption.) –  Dec 13 '12 at 22:52
  • That's not overkill, that's underkill. MD5 is a very bad choice for hashing passwords, you should use a **slow** key-derivation function like BCrypt instead. What you did is security by obscurity, this helps only as long as an attacker has not gained any priviledges on the server. You could do the same easier adding a secret pepper. – martinstoeckli Dec 14 '12 at 08:23
  • Your scheme actually seems to have a name _vBulletin_ (there is currently a question open on [security.stackexchange.com](http://security.stackexchange.com/q/7229/8343)). With common hardware one can calculate 2 Giga such hashes per second, that makes about 2 milliseconds for a whole english dictionary. Thought you could be interested, won't bother you anymore :-). – martinstoeckli Dec 14 '12 at 21:09