0

I'm currently building a web application and I have to store some passwords.

So I want to know what the securest way of hashing and storing passwords is!

My idea was

sha256($a+sha256($b+sha256($c+sha256(password))))

$c=random, unique salt --> which is stored into the database next to my password

$b=random String which is hard coded into my source code

$a=random String which I have to read from a file

The idea behind that is, that the attacker has to get access to my database, my source code, and my file-system which is pretty hard I think.

Is that secure? Do I hash everything to often? Is sha256 secure enough?

Thanks for your help!

Apatus
  • 143
  • 1
  • 2
  • 10
  • 1
    Possible duplicate of [Secure hash and salt for PHP passwords](http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords) – 1615903 Jul 21 '16 at 10:10
  • No that's not secure, because SHA256 is too fast for password hashing and therefore can be brute-forced too easily. Instead use a hash function with a cost factor like BCrypt, PBKDF2 or SCrypt. – martinstoeckli Jul 22 '16 at 21:37
  • Possible duplicate of [How do you use bcrypt for hashing passwords in PHP?](http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php) – martinstoeckli Jul 22 '16 at 21:40

0 Answers0