0

I was wondering if someone could me some advice please? I was wondering how secure/insecure or otherwise rubbish the following code is for encrypting passwords using Codeigniter?

$safe_password = sha1($password, $config['encryption_key'])

If not secure can people give me some tips to make it more secure using Codeigniter please?

Many thanks :)

Anirudh Ramanathan
  • 46,179
  • 22
  • 132
  • 191
user774715
  • 129
  • 1
  • 2
  • 11
  • Because sha1 function returns longer, thus more secure hashes. As well, hash() has no encryption key, so there will be same hash keys on different domains. – Tomáš Zato Feb 04 '13 at 17:25
  • If you're not particularly avoiding a module like Ion Auth, why not go with something like that? – Sturm Feb 04 '13 at 17:25
  • More info from the PHP docs on hashing passwords: http://www.php.net/manual/en/faq.passwords.php#faq.passwords.fasthash – Joseph Erickson Feb 04 '13 at 17:27
  • possible duplicate of [Secure hash and salt for PHP passwords](http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords) - Since everyone else is posting generic (i.e. none-codeigniter) answers. – Mike B Feb 04 '13 at 17:28

5 Answers5

2

sha1 has been know to be vulnerable to collision attacks, try using bcrypt as it's one of the best. If bcrypt doesn't work for you use sha512 and add a salt too.
bcrypt may seem daunting to use but here's an article on why you should use it: http://phpmaster.com/why-you-should-use-bcrypt-to-hash-stored-passwords/

The reason why sha1 is unsecure is because of collision attacks, here is one of the papers where it exposes sha1's security risks: http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html

If you would like to use sha512 all you need to do is: 

hash('sha512', $password.$salt);

And make sure you always use a salt or else some one can use a rainbow table (database) to see if your hash matches a common password inside the database.

C1D
  • 3,034
  • 2
  • 21
  • 20
  • SHA-1 is still resistant to [preimage attacks](http://en.wikipedia.org/wiki/Preimage_attack). – Gumbo Feb 04 '13 at 19:34
0

Better solution is with bcrypt, have a look at this tutorial.

Here is a small library that you can use with Codeigniter https://github.com/waldirbertazzijr/codeigniter-bcrypt

Another related question.

Community
  • 1
  • 1
Bertrand
  • 13,540
  • 5
  • 39
  • 48
0

Hashing algorithms such as sha1 and md5 are not suitable for password storing. They are designed to be very efficient. This means that brute forcing is very fast. Even if a hacker obtains a copy of your hashed passwords, it is pretty fast to brute force it. If you use a salt, it makes rainbow tables less effective, but does nothing against brute force. Using a slower algorithm makes brute force ineffective. For instance, the bcrypt algorithm can be made as slow as you wish, and it uses salts internally to protect against rainbow tables. I would go with such an approach or similar if I were you.

ba0708
  • 10,180
  • 13
  • 67
  • 99
0

From PHP DOC

string sha1 ( string $str [, bool $raw_output = false ] ) If the optional raw_output is set to TRUE, then the sha1 digest is instead returned in raw binary format with a length of 20, otherwise the returned value is a 40-character hexadecimal number.

My Advice use BCRYPT its more secure for easy implementation you can try password_compat

Example 

$hash = password_hash($password, PASSWORD_BCRYPT);
Baba
  • 94,024
  • 28
  • 166
  • 217
0

No, sha1() is not considered secure as can be read, for example, here: http://www.php.net/manual/en/faq.passwords.php#faq.passwords.fasthash

Currently, a good choice might be SHA512 using a salt: hash('sha512', 'text+salt')

str
  • 42,689
  • 17
  • 109
  • 127