0

enter image description here

I want my passwords to be secure in database. Even if someone leaks the passwords I don't want anyone to be able to decrypt them.

Cœur
  • 37,241
  • 25
  • 195
  • 267
  • 2
    Don't use md5. Just use PHP's `password_hash` and `password_verify`. – MrDarkLynx Mar 23 '17 at 09:08
  • use sha256 or sha512 with salt to hash passwords. – Mubashar Iqbal Mar 23 '17 at 09:10
  • 2
    md5 / sha1 are hashing algorithms, not encryption. If you're asking about whether to do your own encryption on SO, the answer is no. – Jonnix Mar 23 '17 at 09:11
  • 1
    Follow this link. http://stackoverflow.com/questions/11624372/best-practice-for-hashing-passwords-sha256-or-sha512 – Mubashar Iqbal Mar 23 '17 at 09:14
  • No, don't follow that link. Just use the PHP [password API](http://php.net/password) as @MrDarkLynx suggests. – Jonnix Mar 23 '17 at 09:15
  • 1
    For passwords you don't use encryption, you use secure hashing and **DO NOT** use something you made yourself. Existing algorithms have gone through rigorous testing and evaluation and many of them are fit for purpose, you can't offer such guarantees in anything you devise yourself. `password_hash` and `password_verify` is the suggested approach in PHP. – apokryfos Mar 23 '17 at 09:15
  • 1
    Which is better? Learning the difference between encryption and hashing to start with.... without knowing that, writing your own encryption certainly isn't going to be secure – Mark Baker Mar 23 '17 at 09:15
  • Possible duplicate of [Secure hash and salt for PHP passwords](http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords) – Artjom B. Mar 23 '17 at 20:07

1 Answers1

3

Passwords are hashed, not encrypted. There is a big difference. You must understand that encrypted strings can be retrieved by decrypting them. This is not possible when hashing. Hashes are, most of the time, not reversible and passwords are checked by matching the hashes. Hash methods such as MD5 have been cracked and are therefore not safe anymore as the password can be "unhashed".

You should not attempt to make your own hashing algorithm as it will most likely have major security flaws. Current day algorithms have been developed by countless of security and cryptography experts and have been analyzed over and over again. There is just a zero percent chance that your backyard algorithm will be more secure than algorithms developed by experts.

Just use the PHP default methods which are password_hash and password_verify. The hashing function generates a random salt by itself which is appended to the hashed password. It is therefore a very safe method and your best bet.

Arjan
  • 599
  • 5
  • 23