-2

In an MVC style web app, what's the best/most secure way of setting up a hashing method that's available globally?

I've just been doing this within my core controller that is extended by the rest of my scaffolding:

class Core{

    protected function salt($string=null){
        $salt = 'dsjflk32osdjshewy8327rtewyrkjfdhdsgnmbcxvsgfyew3287';
        $this->data = md5($salt.$string);

        return $this->data;
    }
}

Is this good practice, or should I be doing something different?

tereško
  • 58,060
  • 25
  • 98
  • 150
Dan
  • 425
  • 2
  • 11
  • Don't use MD5, it is too weak. Don't use a common salt for all your passwords. Don't use only a single hash of the password. Do read https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet – Quentin May 14 '13 at 06:35
  • @Quentin - thanks, any other links would be much appreciated. – Dan May 14 '13 at 06:43
  • Try crypt() http://www.w3schools.com/php/func_string_crypt.asp – ChamingaD May 14 '13 at 06:55
  • 1
    Try avoiding that w3schools link as (a) w3schools is generally untrustworthy and (b) it appears to be little more then a copy/paste of part of the manual: http://php.net/crypt – Quentin May 14 '13 at 08:23

5 Answers5

2

It depends on what you want to hash. If its just to create a unique identifier for larger/grouped datasets, then you could just use MD5. Using salt isnt realy needed then, but it cant harm you either.

If you want to use it for passwords, dont use a hashing function that is optimized for speed at all, because its not realy secure. For passwords I recommend Bcrypt and this question has a lot of information on why you should use it.

If you need the hashing function to disquise parameters, so they cannot be altered, an md5 hash would be sufficient aswell. Since you need to store the link between the hash and the actual value somewhere, they can try to bruteforce the md5 to change the parameter, but they still can only enter values you allowed and have in your link table.

Community
  • 1
  • 1
Hugo Delsing
  • 13,803
  • 5
  • 45
  • 72
  • Yes, absolutely use BCrypt for passwords, together with a unique salt for each password. Nowadays it shouldn't be necessary to create the salt on your own, leave it to the PHP function [password_hash()](http://php.net/manual/en/function.password-hash.php) since it is a delicate thing. – martinstoeckli May 14 '13 at 07:19
  • If you use bcrypt you dont need to add a unique salt per user. That is handled internally by bcrypt. – Hugo Delsing May 14 '13 at 07:31
  • The libraries that simplify using BCrypt, normally generate such salts, but not the `crypt()` function itself, which finally calculates the BCrypt hash. But that's what i just wrote :-). – martinstoeckli May 14 '13 at 07:37
1

Look at openwalls phpass

http://www.openwall.com/phpass/

Its used in a lot of open source php projects

exussum
  • 18,275
  • 8
  • 32
  • 65
  • I've heard of this, looks like it's basically an abstraction layer that extends `md5()`. Nice find! – Dan May 14 '13 at 06:32
  • 1
    It doesnt use MD5, and the salts are per user, Having 1 salt per application helps speed up the cracking process – exussum May 14 '13 at 06:46
0

This is an alternate solution,

      $this->data = crypt($salt.$string);
Shijin TR
  • 7,516
  • 10
  • 55
  • 122
0

It's not a good idea to use constant salt in hash. It's wise to use different salt per each hash. For this you can:

  1. Generate random salt and save it next to the hash in db

  2. (better) Password is always connected with some entity in database so you can pick some attribute that won't be changed (its ID or creation date) as a varying part of salt.

Tomasz Kapłoński
  • 1,320
  • 4
  • 24
  • 49
0

Use SHA512 for encryption, MD5 is not secure at all. Method i use to get it encrypted:

$salt= hash("SHA512", $myconstantvar);
$peper= hash("SHA512", $username);
$pass= hash("SHA512", mypass);

enc_pass= hash("SHA512", $salt.$pass.$peper);
Davy Baccaert
  • 56
  • 2