-6

I Got somewhere these Interesting Hashing password codes

One is 

$user_passcode = SHA1(MD5($_POST['user_passcode']));

and The Other is

$user_passcode = SHA1(SHA1(MD5($_POST['user_passcode'])));

From Security perspective,Is this approach acceptable???

chris85
  • 23,846
  • 7
  • 34
  • 51
sudo255
  • 11
  • 3
  • 1
    https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016 – zerkms Jul 07 '16 at 23:55
  • http://php.net/manual/function.password-hash.php – Phil Jul 07 '16 at 23:56
  • 1
    No, it is not acceptable, it is a pathetic role-your-own-crypto by someone who has no idea what they are doing. Do NOT use these, use a system designed for passwords. – Alexander O'Mara Jul 08 '16 at 00:05
  • Maybe look at: http://crypto.stackexchange.com/questions/21052/what-are-the-security-implications-of-multiple-hashing not specific to PHP though.. – chris85 Jul 08 '16 at 00:11

1 Answers1

0

NONE! You should not be experimenting with the security of your website. Do not use cryptographic methods that are not tested by professionals.

Double hashing is just a waste of time. It's like trying to build security through obscurity.

It's not the best, but I'll post as it's a built-in function and definitely more secure than md5().

  • To hash initially on register use: password_hash($pass, PASSWORD_DEFAULT, ['cost' => 12]);

Note: Cost is the value upon which depends how much your server will need to match the password when you log in. The higher you set it the more difficult and resource-consuming it becomes for the server to match it.

  • To match later on login use: password_verify($pass, $db_pass);

Clarification: That's the best and most secure method I know of. If anyone has anything more controversial and secure than password_hash(), please share it.

Code:

// When you store it
password_hash($pass, PASSWORD_DEFAULT, ['cost' => 12]);

// When you check if they match
password_verify($pass, $db_pass);

Reference: @erickson has written a fantastic answer here.

Community
  • 1
  • 1
Angel Politis
  • 10,955
  • 14
  • 48
  • 66
  • "*Do not use cryptographic methods that are not tested by professionals.*" So... none of the PHP builtins? ;) – Nic Jul 08 '16 at 00:06
  • Do you know anything more secure @QPaysTaxes? Please share it. I would like to use it myself over `password_hash()` too. – Angel Politis Jul 08 '16 at 00:08
  • It was a joke, based on the fact that a lot of PHP's seemingly secure functions are depressingly insecure. (Take the old mysql_escape_string) – Nic Jul 08 '16 at 00:10
  • PHP seems like a broken language at parts. – Angel Politis Jul 08 '16 at 00:12