13

What is better with salt for password storage?

MD5:

$hash = md5($password . $salt);

Password_hash:

$hash = password_hash($password, PASSWORD_DEFAULT, $salt);

SHA1:

$result = sha1($salt.$string);
Noah Gary
  • 916
  • 12
  • 25
Joci93
  • 803
  • 3
  • 10
  • 24
  • 1
    I'm voting to close this question as off-topic because it is about analysing security properties and has no programming question. – Duncan Jones Mar 19 '15 at 14:40
  • Take a look at http://stackoverflow.com/questions/2235158/sha1-vs-md5-vs-sha256-which-to-use-for-a-php-login – bog500 Mar 19 '15 at 14:43
  • You are correct. This does deal with security. No programming here as far as I can see. – Noah Gary Jun 06 '16 at 14:56

2 Answers2

30

You should absolutely use the password_hash() function without providing your own salt:

$hash = password_hash($password, PASSWORD_DEFAULT);

The function will generate a safe salt on its own. The other algorithms are ways too fast to hash passwords and therefore can be brute-forced too easily (about 8 Giga MD5 per second).

martinstoeckli
  • 23,430
  • 6
  • 56
  • 87
  • 1
    what about when you need to authenticate and you dont know the salt that has been generated? I am asking to learn. Not to correct. – Noah Gary Jun 03 '16 at 17:44
  • 10
    Never mind.... password_verify() function is used. Leaving my comments for future users with the same question. – Noah Gary Jun 03 '16 at 17:47
3

Salts are great when you are storing lots of passwords, otherwise they are fairly useless since they are stored in plaintext. If an attacker manages to get your hashed passwords, then assume that they can get their hands on your salts. Use SHA-256 because it's a cryptographically strong hash function, and use salts. But most importantly, just use strong passwords combined with strong hashing algorithms.

Ramonster
  • 444
  • 4
  • 15