6

I'm working on a website that should be very safe for the users, so I need the hash the passwords. Usually I'm using the MD5, but I read that it doesn't safe anymore. So I tried PHPass, but then I read that it also has been cracked. So I tried password_hash() of PHP 5.5, but I use HostGator, and the PHP there is 5.4. Also I want to be able to add salt without knowing it (like time() * userid()), like in the password_hash().

The hash strength is very important to me because I want to be 100% sure that my users are safe. So is there a way that very safe and not something like SHA that will be hacked soon?

halfer
  • 19,824
  • 17
  • 99
  • 186
  • sha256 is a, for now, still fairly reliably secure one-way hashing function suitable for password storage. – Mike 'Pomax' Kamermans Dec 28 '13 at 09:40
  • Look here : http://stackoverflow.com/a/6337021/2629998. –  Dec 28 '13 at 09:40
  • @halfer the answers suggested him to use PHPass, but as I write here, it isn't safe anymore. This was great in 2012 but were in 2014 already (almost)... –  Dec 28 '13 at 10:04
  • @Vlad: the accepted answer there covers the library that offers `password_hash` for users who don't yet have 5.5. As such, I think this question is still a duplicate. – halfer Dec 28 '13 at 10:08
  • Aside: it is generally not recommended to add your own salts with `password_hash`, unless you understand the cryptography behind it. It will add its own salts fine on its own - see the PHP manual page. – halfer Dec 28 '13 at 10:10
  • Also see Openwall's [Portable PHP password hashing framework](http://www.openwall.com/phpass/) (PHPass). Its hardened against a number of common attacks on user passwords. – jww Oct 11 '14 at 23:31
  • check the link https://brabho.com/articles/rightway-to-hash-password-in-php – Krishna Torque Mar 12 '17 at 16:02

4 Answers4

9

Use this library which provides forward compatibility with the password_* functions.

Example usage :

require_once("password.php"); // imports the library, assuming it's in the same directory as the current script

$password = "HelloStackOverflow"; // example password

$hash = password_hash($password, PASSWORD_BCRYPT); // here's the hash of the previous password

$hash = password_hash($password, PASSWORD_BCRYPT, array("cost" => 10)); // you can set the "complexity" of the hashing algorithm, it uses more CPU power but it'll be harder to crack, even though the default is already good enough

if (password_verify($password, $hash)) { // checking if a password is valid
    /* Valid */
} else {
    /* Invalid */
}
  • It is the same as `password_hash()` in PHP 5.5 or it's weaker? What cost do you suggest to use (I hosted in HostGator so I guess that their servers are strong)? –  Dec 28 '13 at 10:12
  • @VladGincher yes it is the same... I've never used it so I don't know what cost... I guess you may just use the default. –  Dec 28 '13 at 10:20
5

PHP comes with built-in hash algorithms such as MD5, SHA1 etc. However, from a security perspective, it's not recommended to use these functions to hash passwords as they can be easily broken via bruteforce attack using tools like Passwordpro.

It's better if you use salting as a way to secure your passwords. Below is an example :

$password = 'yourpassword';
$salt = 'randomstr!ng';
$password = md5($salt.$password);

An even better way of generating the salt is by hashing it first:

$password = 'yourpassword';
$salt = sha1(md5($password));
$password = md5($password.$salt);

The advantage is that this way the salt value is random and it changes for each password, making it nearly impossible to break.

Hyder B.
  • 10,900
  • 5
  • 51
  • 60
0

Take a look at http://php.net/manual/de/function.crypt.php

You should consider using salts to prevent rainbow table attacks You can find a tutorial here: http://www.yiiframework.com/wiki/425/use-crypt-for-password-storage/

mario.schlipf
  • 1,257
  • 2
  • 13
  • 29
0

I tink that the best thing is using a library to manage passwords.
If you cannot use php 5.5 you can try this library that works for php5.3+, have a look at this project:

http://rchouinard.github.io/phpass/

Christian Giupponi
  • 7,408
  • 11
  • 68
  • 113