0

Would the following be a safe way of storing a user's password in a database?

When registering:

$salt=hash("sha512", rand());
$password=hash("sha512", $_POST["password"].$salt);

insert_values_into_db;

When logging in:

$given_password=$_POST["password"];

$salt=get_salt_from_db;
$correct_password=get_password_from_db;

if(hash("sha512", $given_password.$salt) === $correct_password){
    //Password is correct
}else{
    //Password is incorrect
}

Are there any blatantly obvious errors with this?

  • I'm not so caught up on which hash functions are the best to use these days but this logic seems sound. – Mingle Nov 06 '13 at 20:35
  • Nothing jumps out at me as a problem. – SamA Nov 06 '13 at 20:35
  • 1
    Although the best way would probably be using the password_hash() functions, or https://github.com/ircmaxell/password_compat for earlier versions of PHP – Mark Baker Nov 06 '13 at 20:38

3 Answers3

1

Best solution: If you have PHP version 5.5 or above, use the password_hash function. If not, check out the password_compat library by ircmaxwell.

Wayne Whitty
  • 19,513
  • 7
  • 44
  • 66
0

All these hashes are optimized for speed and made to go easy on the processor. (MD5, SHA512, etc.) Because of this cracking them is just as easy. I would either re-hash a couple of more times or just use the crypt method: http://php.net/manual/en/function.crypt.php.

Read more on password hashing in the documentation of PHP: http://php.net/manual/en/faq.passwords.php

Lukasz Brodowski
  • 16
  • 1
-1

The most common way of storing passwords in a database people use is either

md5 the password like : md5($password)

OR

crypt($password)

You could also add double md5 or double crypt for password to be really secure

Diego Claudiu
  • 332
  • 1
  • 9
  • 1
    md5, just say no. and double if you mean md5(md5($password)) actully decreases security –  Nov 06 '13 at 20:49