0

I am using the basic PHP hash function to hash a password. Is the password secure enough/future proof? Or is there a industry standard on how php password sha512 hashing would be implemented? The hashed passwords are are not encypted (open to the public), so it must be super crack-proof. Thanks for your suggestions. 

$password = 'passw0rd'
hash('sha512', $password)

I would like to use crypt(), but I have php 5.1.4 which means that: Standard DES: stqAdD7zlbByI Extended DES not supported. MD5: $1$somethin$4NZKrUlY6r7K7.rdEOZ0w. Blowfish DES not supported. SHA-256 not supported. SHA-512 not supported.

What options do I have now?

user3388884
  • 4,748
  • 9
  • 25
  • 34
  • Man... Stack Overflow needs a FAQ entry on this (or community wiki)... – jww Mar 26 '14 at 15:22
  • Theres a pretty good answer here: http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords?rq=1 – Lawrence Cherone Mar 26 '14 at 15:25
  • No, it’s not. Please read [@RobertK answer to *Secure hash and salt for PHP passwords*](http://stackoverflow.com/a/401684/53114). – Gumbo Mar 26 '14 at 15:28

1 Answers1

1

Thanks for your suggestions.

If you don't understand what the security goals are, then you should probably use Solar Designer's phpass. Solar Designer is the author of John The Ripper (JtR), and he is knowledgeable on the state of the art in recovery and protection.

If you have different security goals, then you need to be careful about the system you design. Perhaps you should fully describe what you are trying to accomplish.

I am using the basic PHP hash function to hash a password. Is the password secure enough/future proof?

John Stevens of OWASP put together a good document on server password security and storage. It walks through the attacks and threats, and then adds steps to neutralize the threats. Here are the references to the OWASP material:

jww
  • 97,681
  • 90
  • 411
  • 885