1

I'm using PHP. I want a safe and fast password encryption system. Hashing a password a million times may be safer, but also slower. How to achieve a good balance between speed and safety? I want to know the best encryption method in php and how to apply it.

Scott Arciszewski
  • 33,610
  • 16
  • 89
  • 206
Pankaj Jindal
  • 175
  • 1
  • 2
  • 10
  • hashing a password a million times is both slow and less-safe than simply hashing it once – Mark Baker Jul 09 '13 at 11:18
  • @MarkBaker Well, actually a slow hashing process is good for passwords, but not md5 or any sha* algorithms... – Bun Jul 09 '13 at 11:19
  • MD5 is not possible to decrypt. For storing passwords it will be ok. Isn't it? – mihai Jul 09 '13 at 11:20
  • @meorfi No because rainbow tables are super easy to create for md5... Hashing algorithms cannot be decrypted, ever, but that doesn't mean it's well suited to hash passwords... – Bun Jul 09 '13 at 11:21
  • 5
    Wow, so many awful answers, people saying MD5 is bad without *providing a resource explaining why*. Encryption is not what hashing is. If you encrypt something, you can *decrypt* it. Meaning, you can obtain the original text. Point of the hashing is that **no one knows** what original text was. Every single hashing algorithm is susceptible to rainbow table attack, it's just not feasible for some algorithms since sufficient computing power doesn't exist for that. Also, slower hashing algorithms = good. If it's slow for you, it's slow for the attacker as well. That's what you want. – N.B. Jul 09 '13 at 11:21
  • 2
    @user2386164 - slow is good, agreed; but not when repeatedly hashing repeatedly reduces entropy (http://deadliestwebattacks.com/category/crypto/) – Mark Baker Jul 09 '13 at 11:21
  • 1
    [Is double hashing a password less secure than just hashing it once?](http://stackoverflow.com/questions/348109/is-double-hashing-a-password-less-secure-than-just-hashing-it-once) – Mark Baker Jul 09 '13 at 11:27
  • 3
    Source from Wikipedia: http://en.wikipedia.org/wiki/MD5#Collision_vulnerabilities :- "In 2005, researchers were able to create pairs of PostScript documents[24] and X.509 certificates[25] with the same hash. Later that year, MD5's designer Ron Rivest wrote, "md5 and sha1 are both clearly broken (in terms of collision-resistance)."[26]" – Tarik Jul 09 '13 at 11:57
  • Also see Openwall's [PHP password hashing framework](http://www.openwall.com/phpass/) (PHPass). Its portable and hardened against a number of common attacks on user passwords. The guy who wrote the framework (SolarDesigner) is the same guy who wrote [John The Ripper](http://www.openwall.com/john/) and sits as a judge in the [Password Hashing Competition](http://password-hashing.net/). So he knows a thing or two about attacks on passwords. – jww Oct 12 '14 at 00:39

4 Answers4

11

I recommend using the new PHP 5.5 password API. It provides a secure means of hashing a password, while being fast enough.

If you don't have PHP 5.5 available there is a polyfill that works with PHP 5.3.7+: https://github.com/ircmaxell/password_compat

TimWolla
  • 31,849
  • 8
  • 63
  • 96
6

Use PHPass, it is an excellent hashing framework and very easy to use!

Zevi Sternlicht
  • 5,399
  • 19
  • 31
3

Use SHA512 http://php.net/manual/en/function.hash.php. SHA512 is not cracked. I suggest to use a salt: Some random string that you append to the password before hashing. This can protect against precomputed rainbow tables but not against dictionary attacks if the attacker gains access to the database containing passwords and salts. SHA512(password + salt) --> hash Store hash and salt in the DB When checking password, retrieve salt corresponding to user, concatenate it with password, hash it and compare it with stored hash. Read here: How long to brute force a salted SHA-512 hash? (salt provided)

Thinking back about your question and particularly about your statement "Hashing a password a million times may be safer, but also slower. How to achieve a good balance between speed and safety". Indeed, repeatedly hashing will protect you against dictionary attacks by making it computationally prohibitively expensive to compute all hashes in a dictionary. I am not teaching you anything here. From the first link I gave you, it took around 46 milliseconds to calculate a SHA512 hash, which is relatively long. Out of hand I can think of the following factors that could influence your decision as you are in an arms race setting: - Increasing computing power (more CPU cores and GPU computations) - Improved Algorithms over time - Amount of money available to the attacker - The value to get out of your site if cracked (if low, it would not be worth the effort) against - Amount of CPU power you have at your disposal As a rule of thumb, I would hash as many times as possible so as to not impact my web site performance. Taking into account the number of logins per seconds, you can roughly calculate the amount of CPU power you can afford to spend without impacting your site performance.

One last comment: Assuming hackers already have access to the table containing the user names and hashed passwords, you might at that point be more worried about all the bad things they can do on your site.

Community
  • 1
  • 1
Tarik
  • 10,810
  • 2
  • 26
  • 40
  • Why SHA512 and not whirlpool? – N.B. Jul 09 '13 at 11:25
  • Yes, indeed, you could use any strong hashing algorithm. – Tarik Jul 09 '13 at 11:34
  • Exactly. So why advise a specific one if there's tens of algorithms that are slow, big and secure? Why SHA512 and not some other? If you specify that ONE, then what's the reason behind it? Personal preference, it's really good in web environment etc.? Yes, sha512 is great, but there are similar ones. Why limit your answer to 1 algorithm? – N.B. Jul 09 '13 at 11:37
  • I proposed A solution but did not claim that it is THE only solution. When you pointed this out, I immediately acknowledged that you indeed were right. Now, I really have no hidden agenda, preference or any personal benefit from proposing SHA512 over any other algorithm. The most I could do to satisfy your inquiry is to admit that I intellectually neglected to mention alternatives. I guess the purpose of this site is to help, correct each other when we err but not scrutinize peoples' defects and failures, especially when they have the honesty to acknowledge their mistakes. – Tarik Jul 09 '13 at 14:58
  • I'm not native English speaker so my comments might come off as rude, which isn't my intention. I really thought you had a personal preference or something similar when choosing an algorithm. – N.B. Jul 09 '13 at 15:00
  • To answer your question: No preference, maybe sticking to well known algorithms. But really, there is no valid technical reason for SHA512 over other similar algorithms equivalent in strength. – Tarik Jul 09 '13 at 15:17
2

your not looking for encryption - your looking for hashing.

I suggest openwalls phpass http://www.openwall.com/phpass/

If you are using PHP5.5 they have a password hasing API http://uk3.php.net/password

for more info.

MD5 (salt-less) has been used for a while a large number of lookup lists are around, Combined with modern hardware getting 700K + passwords per second it wont take long at all to "reverse" the password.

With a salt they are more secure, But still can be cracked quickly

exussum
  • 18,275
  • 8
  • 32
  • 65