0

I heard it is bad to store passwords in plain text in a database so i'm looking for a nice safe way to store pass works. i have done some research and have a working example. 

$cost =10;
$salt =strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
$salt = sprintf("$2a$%02d$",$cost).$salt;
$hash = crypt($password,$salt);

$hash is the final string that is saved into the database. To get the hashed password i have //$password = pass from the DB $enteredpass = pass from the login $hash = crypt($password,$enterdPass ); if($enterdPass == $hash) // pass entered is correct

I'm not looking for the best ever hashing just something that is good enough to put out on the internet as a small company or something

Steven Johnston
  • 142
  • 1
  • 11
  • [This](http://stackoverflow.com/a/1581919/1438393) answer might help. – Amal Murali Sep 14 '13 at 00:54
  • `$enterdPass` will of course have to be hash'ed using the same method. – Mike Christensen Sep 14 '13 at 00:55
  • You should use 2ROT13 and MD5. – Cole Tobin Sep 14 '13 at 01:29
  • [Rich Adam's answer from this SO](http://stackoverflow.com/questions/2999197/do-i-need-a-random-salt-once-per-password-or-only-once-per-database) is worth a read as well. Long story short. You want to hash your password but you want to use 2 different "salts" to do it. One that's a random salt that you can store in your DB. Another that's stored on the file system. And you want to use a SHA-2 method. SHA-1 are sufficient small that with computer power today, they're easily cracked. – jmbertucci Sep 14 '13 at 01:48
  • That Rich Adam's answer is outdated. Suggesting to use any FAST hashing algorithm is asking for trouble. And the use of "static salt" or "pepper" hasn't been proven to have more security than simply adding an individual salt. – Sven Sep 14 '13 at 07:11

1 Answers1

3

PHP has a nice password hashing API since version 5.5, and it has been backported to be used with versions starting at 5.3.7.

Have a look at the documentation and the library you can use.

It's superior feature compared to your current solution is to allow upgrade password hashes if you decide to use a better algorithm or improved settings later.

example:

$store_this = password_hash("rasmuslerdorf", PASSWORD_DEFAULT);

$true === password_verify('rasmuslerdorf', $store_this);
castis
  • 8,154
  • 4
  • 41
  • 63
Sven
  • 69,403
  • 10
  • 107
  • 109