Secure hash generation for passwords

Question

Is it possible to get password from hash produced by following function by any method?

$salt is random 128 characters alpha numeric string.

function Get_Hash($pwd, $salt)
        {
            if ( CRYPT_BLOWFISH == 1) 
            {
                $pwd = hash("sha512",$pwd);
                $cost = "07";
                $hash = crypt($pwd, '$2a$' . $cost . '$' . $salt);
                return $hash;
            } 
            else  
            {
                $pwd = hash("sha512",$pwd);
                $hash = crypt($pwd, '$1$' . $salt . '$');
                return $hash;
            }
        }

There is already basic level brute force protection, system locked for 3-5 minutes after 3 failed attempts.

Is this good hashing function for small level application?

Thanks for your help.

score 2 · Accepted Answer · answered Nov 16 '13 at 12:08

2

Don't create your own hashing.

PHP version 5.5 has some very nice and easy to use password hashing functions, and there is a library that backports them as far as to PHP 5.3.

Include it, use it. Done.

Download here https://github.com/ircmaxell/password_compat or include via Composer:

"require":{
    "ircmaxell/password-compat":"~1.0"
}

answered Nov 16 '13 at 12:08

Sven

69,403
10
107
109

Thanks for your answer. I'll look into password_compact, as I am using 5.4 – fmask Nov 16 '13 at 12:42
just used password_compact and works flawlessly. – fmask Nov 17 '13 at 16:15

Secure hash generation for passwords

1 Answers1