Making a password secure

Question

I'm currently looking for the best practice to encrypt and store a user's password. At this moment i'm storing a 'secret key' composed of 16 characters in my JSON configuration and i always concatenate this secret key and the password in order to generate a 'secure' password.

How's it better to approach this situation? Is it secure enough to have 1 key for every password or should i drop this method in favour of good ol' database password + salt storing?

class PasswordHandler
{
    private $_secret_key;

    private $_password;

    public function __construct($password = 'myVeryStrongPasswordThanNoneCouldBreak') {
        $this->_secret_key = 'i36P8JKnyuvaNDah';
        $this->_password   = $password;
        return $this;
    }

    public function processPassword() {
        return hash('sha256', $this->_secret_key . $this->_password);
    }
}

echo (new PasswordHandler)->processPassword();

Also:

Is hashing enough or should i encrypt the password? Is SHA-256 strong enough?
Which hashing/encryption algo is the best-choice when dealing with passwords?

Kind regards!

have you checked `password_hash / password_verify` from [PHP DOC](http://php.net/manual/en/function.password-hash.php) — OldPadawan, Apr 28 '17 at 15:27
Please do not **roll your own** password hashing scheme. PHP provides [password_hash()](http://php.net/manual/en/function.password-hash.php) and [password_verify()](http://php.net/manual/en/function.password-verify.php) please use them. And here are some [good ideas about passwords](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet). If you are using a PHP version prior to 5.5 [there is a compatibility pack available here](https://github.com/ircmaxell/password_compat). — John Conde, Apr 28 '17 at 15:27
So, first rule of security is don't write your own! Bcrypt is probably the best solution for storing passwords. have a look here http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php — zybroxz, Apr 28 '17 at 15:28

score 4 · Accepted Answer · answered Apr 28 '17 at 15:28

Is SHA-256 strong enough?

It might be ok today, but it won't be tomorrow. General use hashes are designed to be fast, which is why they're bad choices for passwords. You want to use a system that's designed to require a lot of computational work.

Which hashing/encryption algo is the best-choice when dealing with passwords

The only thing you should be using to hash passwords in PHP is password_hash() and its partner function password_verify(). If you're using a version of PHP prior to 5.5, you can use this compatibility pack.

Also note:

$this->_secret_key = 'i36P8JKnyuvaNDah';

Your key is not secret anymore.

Is this^ compatible with 7.x? – Anddrw Apr 28 '17 at 15:49 — Anddrw, Apr 28 '17 at 15:49

score 0 · Answer 2 · answered Apr 28 '17 at 15:29

0

I would use the PHP function password_hash with bcrypt (crypt blowfish): source

$encrypted = password_hash("plainpassword", PASSWORD_BCRYPT);

Also you can read why CRYPT_BLOWFISH is the strongest hash algorithm.

answered Apr 28 '17 at 15:29

Agu Dondo

12,638
7
57
68

This article really helped! Thanks! – Anddrw Apr 28 '17 at 15:54

score 0 · Answer 3 · answered Apr 28 '17 at 15:30

0

Look on password_hash() function. It's generate a dynamic salt for each password. I think it's better because if someone found the key, he's able to decrypt all password.

This funtion is used with password_verify($pass_entered, $pass_stored).

answered Apr 28 '17 at 15:30

RockDaFox

217
2
9

score 0 · Answer 4 · answered Aug 18 '21 at 12:51

A Detailed story behind password securing

Passwords

The simplest and the oldest method of entity authentication is the password, something that the claimant possesses. A password is used when a user needs to access a system to use the system's resources (log-in). Each user has a user identification that is public and a password that is private. We can divide this authentication scheme into two separate groups: the fixed password and the one-time password.

Fixed Password

In this group, the password is fixed; the same password is used over and over for every access. This approach is subject to several attacks.

o Eavesdropping.

Eve can watch Alice when she types her password. Most systems, as a security measure, do not show the characters a user types. Eavesdropping can take a more sophisticated form. Eve can listen to the line and then intercept the message, thereby capturing the password for her own use.

o Stealing a Password.

The second type of attack occurs when Eve tries to physically steal Alice's password. This can be prevented if Alice does not write down the password; instead, she just commits it to memory. Therefore, a password should be very simple or else related to something familiar to Alice, which makes the password vulnerable to other types of attacks.

o Accessing a file.

Eve can hack into the system and get access to the file where the passwords are stored. Eve can read the file and find Alice's password or even change it. To prevent this type of attack, the file can be read/write protected. However, most systems need this type of file to be readable by the public.

o Guessing.

Eve can log into the system and try to guess Alice's password by trying different combinations of characters. The password is particularly vulnerable if the user is allowed to choose a short password (a few characters). It is also vulnerable if Alice has chosen something unimaginative, such as her birthday, her child's name, or the name of her favorite actor. To prevent guessing, a long random password is recommended, something that is not very obvious. However, the use of such a random password may also create a problem; Alice might store the password somewhere so as not to forget it. This makes the password subject to stealing.

A more secure approach is to store the hash of the password in the password file (instead of the plaintext password). Any user can read the contents of the file, but, because the hash function is a one-way function, it is almost impossible to guess the value of the password. The hash function prevents Eve from gaining access to the system even though she has the password file. However, there is a possibility of another type of attack called the dictionary attack. In this attack, Eve is interested in finding one pass- word, regardless of the user ID. For example, if the password is 6 digits, Eve can create a list of 6-digit numbers (000000 to 999999), and then apply the hash function to every number; the result is a list of 1 million hashes. She can then get the password file and search the second-column entries to find a match. This could be programmed and run offline on Eve's private computer. After a match is found, Eve can go online and use the password to access the system. We will see how to make this attack more difficult in the third approach.

Another approach is called salting the password. When the password string is created, a random string, called the salt, is concatenated to the password. The salted password is then hashed. The rD, salt, and the hash are then stored in the file. Now, when a user asks for access, the system extracts the salt, concatenates it with the received password, makes a hash out of the result, and compares it with the hash stored in the file. If there is a match, access is granted, otherwise, it is denied. Salting makes the dictionary attack more difficult. If the original password is 6 digits and the salt is 4 digits, then hashing is done over a 10-digit value. This means that Eve now needs to make a list of 10 million items and create a hash for each of them. The list of hashes has 10 million entries and the comparison takes much longer. Salting is very effective if the salt is a very long random number. The UNIX operating system uses a variation of this method.

In another approach, two identification techniques are combined. A good example of this type of authentication is the use of an ATM card with a PIN (personal identification number). The card belongs to the category "something possessed" and the PIN belongs to the category "something known." The PIN is actually a password that enhances the security of the card. If the card is stolen, it cannot be used unless the PIN is known. The PIN, however, is traditionally very short so it is easily remembered by the owner. This makes it vulnerable to the guessing type of attack.

Source: Data Communications and Networking By Behrouz A.Forouzan