0

I'm creating a framework which I intend to use on private jobs only and won't be released to the general public (I mean, aside from giving it to clients) and I'm wondering 3 things. Given the following;

$password = $_POST['password'];
for ($i = 0; $i < 50000; $i++) {
    $password = hash($password . hash($application_salt . $per_user_salt));
}

1) Is this generally a good way of dealing with passwords?

2) What is a good (I'm fairly sure slow is good) hashing algorithm to use here?

3) What's the best algorithm for generating a good random per_user_salt (I believe more random is better)?

Please bear in mind, this is not exactly as the code will appear, I'm simplified for the purposes of this question. I'm looking more at the 'philosophy' of dealing with passwords in this way.

Prinsig
  • 245
  • 3
  • 9
  • the best would probably be to let someone else stand for the passwords, e.g facebook, else there's a nice addon which processes passwords and store them called bluefish if i recall right – Jim Sundqvist Jan 02 '15 at 17:10
  • Use bcrypt or scrypt or PBKDFv2. – SLaks Jan 02 '15 at 17:11
  • This question is not just asking which hashing algorithm to use, but also whether the method proposed is effective. – Prinsig Jan 02 '15 at 17:13
  • The work is already done, use the [password_hash()](http://www.php.net/manual/en/function.password-hash.php) function, it also generates a cryptographically safe salt. – martinstoeckli Jan 02 '15 at 20:01

0 Answers0