1

I am trying to understand password_hash fully in order to be able to explain it for an auditor.

Based on my searching for an answer, I understand that the password_hash() function is a wrapper for crypt(). While reading the PHP manual for predefined Constants I see that it uses PASSWORD_BCRYPT as the default integer value (basically it uses the CRYPT_BLOWFISH algorithm to hash a password).

What's confusing me is that the $options variable, if omitted, generates a random salt and the cost will be set to 10. If I supply a higher cost (for example: 12), will it still generate a random salt since I am not supplying a salt value? The reason why I am confused here is because I am not omitting the $options but instead supplying a different cost.

My other questions:

  • Why does increasing the cost value increase security?
  • How, since password_hash() is a one way hashing function, does password_verify() validate the password since the salt is random?
  • Is CRYPT_SHA512 stronger than CRYPT_BLOWFISH for hashing?
Dave
  • 498
  • 2
  • 7
  • 22
Jaylen
  • 39,043
  • 40
  • 128
  • 221
  • 1
    If you increase the cost, it takes longer to verify, making brute-force attacks slower – Mark Baker Aug 06 '14 at 18:09
  • 1
    The options are separate. If you supply any cost, it will still generate a random salt, and if you supply just a salt, it will use a cost of 10. It says nowhere that it work any other way. – GolezTrol Aug 06 '14 at 18:11
  • From the docs at http://php.net/manual/en/function.crypt.php "*The two digit cost parameter is the base-2 logarithm of the iteration count for the underlying Blowfish-based hashing algorithmeter and must be in range 04-31, values outside this range will cause crypt() to fail.*" In other words the cost determines the number of times that the algorithm loop happens. – Jay Blanchard Aug 06 '14 at 18:11
  • Also note that `PASSWORD_DEFAULT` is actually the default. This happens to be the same value as `PASSWORD_BCRYPT` *in the current PHP version*, but it may change in future versions. – GolezTrol Aug 06 '14 at 18:12
  • you can checkout http://gkombs.blogspot.com/2014/07/password-storage-mistakes.html. it contains useful information – Kxng Kombian Aug 06 '14 at 18:13
  • Maybe you are interested in my tutorial about [safely storing passwords](http://www.martinstoeckli.ch/hash/en/index.php). There i tried to explain, the idea behind salt, cost-factor and why BCrypt is more appropriate than SHA512 to hash passwords. – martinstoeckli Aug 07 '14 at 09:05

3 Answers3

4

I find this article incredibly useful to understand how to correctly hash passwords. It explains how hashes can be cracked with various techniques if the hashes are weak, and how to hash passwords correctly to provide sufficient security.

If I supply a higher cost (say 12), will it still generate a random salt since I am not supplying a salt value

Yes it will - as the documentation says if salt is omitted, a random salt will be generated by password_hash() for each password hashed (this means if you omit the salt value from your options array, it will be generated by password_hash() function defaultly). Moreover, the salt option has been deprecated since php 7.0.

why increases to the cost value increase security?

This is also explained in the above article in section Making Password Cracking Harder: Slow Hash Functions. The higher the cost is set to, the slower is the hash function. The idea is to make the hash function very slow, so that even with a fast GPU or custom hardware, dictionary and brute-force attacks are too slow to be worthwhile. The cost should be however set to reasonable value (based on the specs of your server), so that it doesn't cause significant time delays when verifying users' passwords.

More, is CRYPT_SHA512 stronger that CRYPT_BLOWFISH for hashing?

Read this post about their comparison.

Community
  • 1
  • 1
mbuster
  • 170
  • 14
2

Password hash works by using crypt() in basically a wrapper. It returns a string that contains the salt, the cost and the hash all in one. It is a one-way algorithm, in that you don't decrypt it to validate it, you simply pass the original string in with your password and if it generates the same hash for the provided password, you're authenticated.

It's best to omit the salt and let it generate one for you. If you use only one salt, it makes it easier to break all your passwords instead of just that one. Salts can be generated regardless of the cost.

Cost (an exponential value) refers to how much effort goes into generating the hash (where higher = more computing power to generate a hash). Don't set it too high or you will bog your login scripts down.

Machavity
  • 30,841
  • 27
  • 92
  • 100
  • *"The salt is .... "*. Also, judging by your answer, you read the title but not the question itself, which is largely about how to supply the parameters to `password_hash`. – GolezTrol Aug 06 '14 at 18:14
  • 1
    @ Mike - Salts should be unique per password, and the password_hash() function will generate such a unique salt each time you calculate a hash. If no salt is defined in the options parameter, the function will generate a safe one, independend whether other options are set. – martinstoeckli Aug 07 '14 at 09:02
1

Generally speaking:

You always should apply a salt when hashing passwords, to have a different hash even if you have the same password. This increases security by "preventing" people from using rainbow tables to crack the password.

But bcrypt handles the salting on its own!

Back to your original question:

The cost is used to make it "costly" to crack the password with a dictionary/brute force attack.

Bcrypt basically hashes the password over and over, which makes it time consuming (=costly) to obtain the password to a given hash. If you try to find a password for a hash (brute force attack) you have to calculate billions of password hashes. When each hashing takes "$cost" times as long, then a brute force attack is not feasible. Even if you can calculate the hash for a potential password in milliseconds.

In simple terms: If you have a password hash for SHA-1 (unsecure, don't use it!) with the salt (as this is usually contained in the hash) and you want to hack it then you have to hash all possible passwords + the salt and when you find the combination with the same hash, you found a possible password for this hash.

Let's say you use a good salt and a long enough password, then you need something like 1-5 seconds for a password hash. If you use the blowfish approach with cost=10 you need 10-50 seconds for a password hash. For a single password, this is no big deal. So a directed attack for a single hash is still simple, but usually people obtain large lists of user and password combinations and they are interested to get the passwords for all of them quickly. Then this is much less lucrative for the bad guy, as he needs 10 times the CPU power to calculate all that stuff.

Patrick Cornelissen
  • 7,968
  • 6
  • 48
  • 70
  • Do you realize deleted answers are not actually deleted and anyone with 10K rep will see them. If you are just going to make a change edit the answer, don't delete and create a new answer just because there is a down vote, improve the answer and there will should be up votes if appropriate. – zaph Feb 25 '17 at 13:24
  • You are right, although this makes the concept of deleting an answer kind of obsolete. – Patrick Cornelissen Feb 25 '17 at 16:01