-1

I have been looking into replacing SHA1 as the encryption of passwords with possibly bcrypt or something similar, and I cant seem to find a step-by-step, easy to follow tutorial for implementing this. I did a quick tutorial on youtube which produced the following code:

$username = 'myusername';
$password = 'pa55w0rd';

$str  = substr($username, 0, 6);
$salt = '$2a$12$rU8E3fsI9rsKh3V2'.$str.'$';
$pass = crypt($password, $salt);

echo $salt . '<br>' . $pass;

and when I run the code in the browser, this get output:

$2a$12$rU8E3fsI9rsKh3V2myuser$
$2a$12$rU8E3fsI9rsKh3V2myuseeMSOT1BADLFs/ncqHx5aG2q953uqp.Tu

QUESTION 1:

Am I correct in assuming that both strings are generated for a user, and that both strings are required to be stored in, for example, the users table as columns "salt" and "pass"?

QUESTION 2:

Why does it look like part of the username is visible within the salt and the pass? Is this normal, or is there some additional step I need to take to eliminate this from happening?

QUESTION 3:

Is this approach to hashing passwords more secure than md5 and sha1, or is there a better approach that I should be using?

Any suggestions appreciated..

Donal.Lynch.Msc
  • 3,365
  • 12
  • 48
  • 78

2 Answers2

2

I'd recommend using PHP's new password_hash and password_verify functions.

As you probably don't have PHP >= 5.5.0, there's a PHP implementation that adds support for the upcoming functions to older versions of PHP.

More info: https://gist.github.com/nikic/3707231

Oscar Broman
  • 1,109
  • 8
  • 19
  • I have PHP 5.3.0 - should I upgrade to 5.5 and use these functions? Is that what you recommend? Do these functions use bcrypt behind the scenes?? – Donal.Lynch.Msc May 18 '13 at 14:05
  • @DJDonaL3000 The implementation I linked works fine in PHP 5.3 so you don't have to upgrade just yet. It uses bcrypt if you specify that in `password_hash` (2nd argument). – Oscar Broman May 18 '13 at 14:33
  • The linked PHP implementation works on 5.3.7+. And *might* work on implementations with backported fixes. However if you are still on 5.3.0 I strongly recommend to upgrade to at least the latest 5.3.x version when possible. – PeeHaa May 19 '13 at 02:24
1

  1. No, The salt is stored as part of the hashed password. Note that hashing is done against rainbow attacks (pre-prepared hash dictionary) or similar.

    In order to check for valid password, the crypt function can take the hashed password itself as the salt, for it know how to split the salt from the hash.] See: Comparing passwords with crypt() in PHP

  2. No, that's fine, see above.

  3. SHA1 Is better and stronger than MD5, Although it is preferable to use SHA-2.

Community
  • 1
  • 1
HLL
  • 169
  • 10