0

I am designing a php website, and I used sha1 to store password for the users, but I later read that sha1 is unsafe, Its better i use Bcrypt, now I try to find about Bcrypt but these questions - How do you use bcrypt for hashing.. and Is Bcrypt used for Hashing is too complex, I dont understand what they explain.

<?php $pass = sha1($_POST["password"]); ?>

but could it be: 

<?php $pass = bcrypt($_POST["password"]); ?>

or which is better than both. Thanks

Community
  • 1
  • 1
4Jean
  • 765
  • 1
  • 13
  • 25
  • 1
    PHP already provides a nice wrapper around bcrypt in the [password_hash()](http://www.php.net/manual/en/function.password-hash.php)/[password_verify()](http://www.php.net/manual/en/function.password-verify.php) functions – Mark Baker May 08 '16 at 12:06

1 Answers1

3

If you are using PHP version 5.5+, you may use the method password_hash(), and password_verify();

EXAMPLE:

$hash = password_hash("mypassword", PASSWORD_BCRYPT);

and to verify:

if (password_verify('mypassword', $hash)) {
    echo 'Password is valid!';
} else {
    echo 'Invalid password.';
}

This is the best and most secured in PHP today since the salt is built-in inside the method.

Yair.R
  • 795
  • 4
  • 11
  • Note that it is recommended to use the `PASSWORD_DEFAULT` parameter when calling `password_hash` because this will use the most secure algorithm implemented in PHP as this changes over time. Also, you forgot to mention that bcrypt is much better than SHA-1 because bcrypt it a _slow_ algorithm and will slow down any attacker trying to password guess once they have gained access to the hashes. – SilverlightFox May 09 '16 at 07:48
  • @SilverlightFox the slow algorithm is not an advantage thing, bcrypt is much better than SHA-1 since every call gives a different 60 bit hash. – Yair.R May 09 '16 at 08:09
  • [Check here](http://dustwell.com/how-to-handle-passwords-bcrypt.html) - re: bcyrpt: `there are a set of hash functions that were specifically designed for passwords. In addition to being secure "one-way" hash functions, they were also designed to be slow.`. Salt is good to prevent two users with the same password having the same hash, however you also need to slow down attackers as much as possible. – SilverlightFox May 09 '16 at 08:17
  • @SilverlightFox I think BCRYPT is slow because it has a heavy algorithm and it was not on purpose (I don't believe blogs articles)... I see this as a disadvantage since most of us are looking for fast performance of our system :) . Maybe I'm wrong - It's just an opinion.. – Yair.R May 09 '16 at 08:34
  • Of course it was on purpose. Bcrypt has an iteration count that can be tuned to the performance of your system. Yes, it is counter-intuitive because the rest of your system is better as fast as possible. However, think of the situation where an attacker has access to all the password hashes. If you can set the iteration count to 10,000, it'll take the attacker 10,000 times longer for each password guess they take, and therefore 10,000 times longer to crack each password. Some passwords will never be cracked because the extra iterations will make this infeasible. – SilverlightFox May 09 '16 at 08:55
  • https://en.wikipedia.org/wiki/Bcrypt : `bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power.` – SilverlightFox May 09 '16 at 08:56