1

Which is the most secure and most efficient way for storing passwords inside the database tables using PHP?

So far I have used the md5() and the sha256 algorithm for storing passwords where both of them can be easily hacked using rainbow tables if finally someone gain access on the database.

Csalt
  • 45
  • 11
  • [password_hash](http://www.php.net/manual/en/ref.password.php) if you're on PHP >= 5.5.0, or [password_compat](https://github.com/ircmaxell/password_compat) if on PHP >=5.3.7 – Mark Baker Sep 29 '13 at 21:44
  • While this is a "duplicate", **please follow the links here** as the new `password_*` API is the correct approach for a custom authentication store implementation - unless, perhaps, you're Bruce. – user2246674 Sep 29 '13 at 21:57

2 Answers2

3

Bcrypt is usually considered the most secure option.

If you're using PHP 5.5 you can use the new password hashing API to make it easier to work with. There's a decent tutorial at Hashing Passwords with the PHP 5.5 Password Hashing API.

Using bcrypt is the currently accepted best practice for hashing passwords, but a large number of developers still use older and weaker algorithms like MD5 and SHA1. Some developers don’t even use a salt while hashing. The new hashing API in PHP 5.5 aims to draw attention towards bcrypt while hiding its complexity ..

user2246674
  • 7,621
  • 25
  • 28
Matthew Daly
  • 9,212
  • 2
  • 42
  • 83
3

Using bcrypt with hash is currently the best thing to do using PHP. Don't use md5 or sha1 functions, as they are older and weaker algorithms.

Since PHP 5.5, you can use the new password_hash, password_verify, password_needs_rehash and password_get_info. You can read more about the new hashing functions here:

The password hashing API [.. makes] it easy to create and manage passwords in a secure manner.

also:

This extension is available since PHP 5.5.0 but there is also an » userland implementation for PHP >= 5.3.7.

Yam Mesicka
  • 6,243
  • 7
  • 45
  • 64