My Web Host Doesn't Support SHA-3 or SHA-2 with PHP. What should I do?

Question

So my web host only supports SHA-1 and MD5, which are both pretty broken and out-dated. What can I do in this situation. Will I have to use an external site to hash my password (using POST requests), or would it be safe to do it through JavaScript. I'm not too keen on hashing passwords on the client's side though.

Is there any way I can get a SHA-2, SHA-3 or MD6 algorithm for PHP and use that as a custom method? If not, what would you suggest is the best way to overcome this problem?

Thanks in advance, DibDibs

EDIT

Here are the errors I am receiving when using different methods of hashing...

When I call hash("sha-256", $str), I get this error: PHP Warning: hash(): Unknown hashing algorithm: sha-256

And when I call any algorithm directly, for example sha2($str), I get this error: PHP Fatal error: Uncaught Error: Call to undefined function sha2()

I don't know how the host has disabled them, to me it looks like the functions (hashing algorithms) just aren't there to begin with.

Just wondering what version they have or how they have disabled those. You are using `hash("sha256", "asdf")` or similar and it doesn't work? And no, don't use an outside service for hashing your passwords. — Sami Kuhmonen, Jul 09 '16 at 12:07
Based on the documentation the name should be `sha256` without the dash http://php.net/manual/en/function.hash.php — Sami Kuhmonen, Jul 09 '16 at 12:15
You might wanna do `print_r(hash_algos());` to find out what algorithms are supported, and how they are called/spelled. — Siguza, Jul 09 '16 at 12:30
No. SHA-2 encompasses `sha224`, `sha256`, `sha384`, and `sha512`. — Scott Arciszewski, Jul 09 '16 at 20:31

score 3 · Answer 1 · answered Jul 09 '16 at 12:52

3

Why don't you use password_hash() and password_verify()? They are built in php functions for this purpose.

answered Jul 09 '16 at 12:52

Max

386
3
16

What algorithm(s) do they use? – DibDibs Jul 09 '16 at 13:04
`password_verify()` uses bcrypt by default, but can change over time: http://php.net/manual/en/function.password-hash.php _PASSWORD_DEFAULT - Use the bcrypt algorithm (default as of PHP 5.5.0). Note that this constant is designed to change over time as new and stronger algorithms are added to PHP. For that reason, the length of the result from using this identifier can change over time. Therefore, it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice)._ – Max Jul 09 '16 at 13:42

score 1 · Answer 2 · edited May 23 '17 at 12:08

1)If you own the server you can try this method or use below libraries:

2) Don't use outside service for hashing.

3) If you don't own it i.e if its shared hosting try talking to hosting provider if they could install it for you or try upgrading to some package which allows you to do so.

4) Or you could try nodejs for sha3 hashing & godaddy supports it.

5) Or try cloud hosting.

My Web Host Doesn't Support SHA-3 or SHA-2 with PHP. What should I do?

2 Answers2