2

Before I start I'd like to apologise for bringing up this subject once again, as many users did, but with a research I did, I wasn't happy with what I've found. I just hope to come up with something really helpful here.

Since md5 or sha1 are considered bad practice (even when using salts ???), I have tried to create this function for hashing my password

$password = $_POST['password']; // lets say that my password is: my_sercretp@ssword123
function encrypt_the_password($password){
    $salt = "lorem_ipsumd0l0rs1t@m3tc0ns3ct3tur@d1p1sc1ng3lit";
    return hash('sha256', $salt.$password);// can use also different algorithm like sha512 or whirlpool
}
$hashed_password = encrypt_the_password($password);

Note that this one I use it in a personal website with only one user, me. In case of having more than one users I come up with something like this:

$password = $_POST['password'];
function generate_salt() {
    $salt = uniqid(md5("lorem_ipsumd0l0rs1t@m3tc0ns3ct3tur@d1p1sc1ng3lit".microtime()));
    $salt = hash('sha256', $salt);// can use also different algorithm like sha512 or whirlpool
    return $salt;
}
function encrypt_the_password($password,$salt){
   return hash('sha256', $salt.$password);// can use also different algorithm like sha512 or whirlpool
}
$hashed_password = encrypt_the_password($password,generate_salt());

Is this secure enough (in each case) or can this improved more???

MY EDIT: I tried to come up with something new using the crypt() function. Here's my code in case of having a site with only one user, admin:

$password = $_POST['password'];
$salt = "L0r3mIpsUmD0l0rS1tAm3t";
$hashed_password = crypt($password', '$2a$12$' . $salt);

and in case of having a site with more than one users:

$password = $_POST['password'];
function generate_salt() {
        $salt = uniqid(sha1("L0r3mIpsUmD0l0rS1tAm3tc0ns3CT3tur4d1p1sc1ng3lit".microtime()));
        $salt = substr(sha1($salt), 0, 22);
        return $salt;
}
$hashed_password = crypt($password', '$2a$12$' . generate_salt());

Is this ok or needs improvements???

ltdev
  • 4,037
  • 20
  • 69
  • 129

2 Answers2

6

Improve it by not making up your own algorithm. Your algorithm is insecure because your salt is constant and you only hash with one iteration of SHA256, which is computationally cheap.

Instead, use Bcrypt, which is both computationally expensive and verified by people who know what they're doing, so it's much safer than your solution.

Community
  • 1
  • 1
Blender
  • 289,723
  • 53
  • 439
  • 496
  • How can I add iteration to this?? I don't get it. I mean if I iterate the sha256 1000 times, isn't returning back always the same hashed string?? – ltdev Mar 29 '13 at 09:37
  • @Lykos: You *don't* add iteration. I'm just pointing out why your hash is bad. *Do not make your own password hashing function*. Use Bcrypt or pbkdf2. – Blender Mar 29 '13 at 11:14
  • Bcrypt is same as crypt()?? – ltdev Mar 29 '13 at 11:21
  • @Lykos - **BCrypt** is a hash algorithm, that does iterations on its own, it provides a cost parameter that determines the needed computing time. You could do something similar with other hash algorithms like **sha256**, a save method to do this is **PBKDF2**. The function `crypt()` on the other hand, is part of PHP and can calculate BCrypt hashes as well as other hashes. Have a look [here](http://www.martinstoeckli.ch/php/php.html#bcrypt) if you want more background information. – martinstoeckli Mar 30 '13 at 13:12
  • I did some changes using crypt() in my code and paste it above. Is this ok or needs improvements??? – ltdev Apr 02 '13 at 08:53
3

You should use the password functions that will come inbuilt in PHP 5.5. There's a fallback library by ircmaxell that can provide the functions in earlier versions of PHP: https://github.com/ircmaxell/password_compat

It will always use the most recent hashing technique available, and in case even update the records for you. Make sure you read the README coming along with this library.

Do not make your own hashing function.

Woxxy
  • 1,313
  • 10
  • 12