how to upgrade my php mysql password hashing?

Question

I'm still using md5 hashing for my site and I need to upgrade, yet I don't know how... Here is the code that I'm using now

   $salt1 = "mysite";

   $salt1 = md5($salt1);

   $salt2 = "passed";

   $salt2 = md5($salt2);

   $salt3 = "php";

   $salt3 = md5($salt3);

   $password1 = $salt1.$password1.$salt3;

Also see Openwall's [PHP password hashing framework](http://www.openwall.com/phpass/) (PHPass). Its portable and hardened against a number of common attacks on user passwords. The guy who wrote the framework (SolarDesigner) is the same guy who wrote [John The Ripper](http://www.openwall.com/john/) and sits as a judge in the [Password Hashing Competition](http://password-hashing.net/). So he knows a thing or two about attacks on passwords. — jww, Oct 12 '14 at 01:59

score 3 · Answer 1 · edited Apr 16 '14 at 01:26

3

Hopefully you're upgrading to bcrypt, which is now the standard. (PHP 5 >= 5.5.0)

The easiest way to do this is to store passwords in two columns. When someone connects and they don't have a bcrypt hashed password, take the valid password they entered, hash it with bcrypt, and store it in the new column. That user is now converted and you can blank out their old MD5ed one.

After a few months, disable any users who haven't used the site in that long and make them do a password reset to get access back. This allows for a gradual transition with minimal user impact.

There's also the password compatibility pack for people who have not yet upgraded to PHP 5.5
Visit: https://github.com/ircmaxell/password_compat/

edited Apr 16 '14 at 01:26

Funk Forty Niner

74,450
15
68
141

answered Apr 16 '14 at 01:16

ceejayoz

176,543
40
303
368

1

There's also the password compatibility pack for people who have not yet upgraded to PHP 5.5 => https://github.com/ircmaxell/password_compat/ – Funk Forty Niner Apr 16 '14 at 01:27
@Fred-ii- heh I was just going to tell you to mention that since you added the PHP >= 5.5 – Mike Apr 16 '14 at 01:28
@Mike I thought of it after too lol (edit: done) – Funk Forty Niner Apr 16 '14 at 01:30
+1 I will add it then. ;-) – Funk Forty Niner Apr 16 '14 at 01:30

score 1 · Answer 2 · answered Apr 16 '14 at 01:15

<?php
/**
 * In this case, we want to increase the default cost for BCRYPT to 12.
 * Note that we also switched to BCRYPT, which will always be 60 characters.
 */
$options = [
    'cost' => 12,
];
echo password_hash("rasmuslerdorf", PASSWORD_BCRYPT, $options)."\n";
?>

This is from the php manual, it would be the direction you need to go in. I would suggest further reading of the bcrypt feature built into PHP to gain a more insightful understanding.

how to upgrade my php mysql password hashing?

2 Answers2