0

I understand and recognize that storing passwords in my own database is a massive security hole compared to using services like Google or Facebook, but I was wondering if the following code could be used to securely store usernames and passwords using a salted hash:

$username = $_POST['user']
$salt = md5(openssl_random_psuedo_bytes(24, true));
$pass = sha1($salt.$_POST['pass'])

I believe it's fairly secure, but I'm no expert.

EDIT:

I think this would be better, would it?

$salt1 = md5(sha1(openssl_random_psuedo_bytes(32, true));
$pass = password_hash($_POST['pass'] . $salt1, PASSWORD_BCRYPT);

Am I any closer to finding a decent mechanism for storing passwords?

Michael Shift
  • 104
  • 2
  • 8

1 Answers1

3

It's extremely bad (though it could be worse)

  1. SHA1 is not very secure.
  2. All direct hash functions are too fast to use for passwords.

You should use PBKDF2 or bcrypt or scrypt.

SLaks
  • 868,454
  • 176
  • 1,908
  • 1,964
  • Thanks. I'll work on improving it. :D – Michael Shift Jan 19 '15 at 23:18
  • Wondering why it was downvoted – zerkms Jan 19 '15 at 23:20
  • Possibly downvoted because the current best recommendation is to use password_hash/password_verify, though it's always difficult to fathom the mind of a downvoter – Mark Baker Jan 19 '15 at 23:23
  • I edited the question providing another possible way to do it, this time following your guidelines. Can you confirm that it's at least not completely awful? – Michael Shift Jan 19 '15 at 23:27
  • @MichaelShift: Now it's actually broken. `password_hash()` handles salt by itself; see the docs – SLaks Jan 19 '15 at 23:29
  • @MichaelShift `password_hash()` is designed to generate its own random salt. If you really want to generate a salt yourself, you should send it as an option (the 3rd parameter). – jeroen Jan 19 '15 at 23:29
  • @jeroen I intended to use `$salt1` just to add more randomness to the password in the database, and maybe make it a little bit slower. Not sure if that will actually happen, but it can't hurt to try. Could I not just store the salt with the pass, and retrieve it, append it to the password, and validate a login with both the autogenerated one and `$salt1`? – Michael Shift Jan 19 '15 at 23:37
  • 1
    @MichaelShift: You'll need to store it to verify the password. If you do, then you're right; it won't hurt. – SLaks Jan 19 '15 at 23:38
  • 3
    I am not the said downvoter, but 426k and that's the best you can do as an answer? There are better comments here by others in regards to using a safe and proper hashing method as per today's standards. This type of "answer" is usually found in comments under an OP's question. Had I put in something like this, I'd of probably been downvoted myself. – Funk Forty Niner Jan 19 '15 at 23:40