sha1() for Password hashing

Question

I am using sha1 for my password security. I have stored password in this way in register.php

// secure password
$salt = openssl_random_pseudo_bytes(20);
$secured_password = sha1($password . $salt);

//Send it to mysql table
$result = $access->registerUser($username, $secured_password, $salt, $email, $fullname);

This all is working fine.

Problem is here:

In my login.php

 $password = htmlentities($_POST["password"]);
$secure_password = $user["password"];
$salt = $user["salt"];


// 4.2 Check if entered passwords match with password from database
if ($secure_password == sha1($password . $salt)) {
//do something 
} else {

//do something
 }

I am always getting as password does not match. where am I going wrong?

Why not jsut use `password_hash()` and `password_verify()`? It's much easier to use. — Nytrix, May 09 '17 at 08:23
@Nytrix : I tried password_hash() I am getting error while saving password. — swift_USer, May 09 '17 at 08:24
DON'T USE SHA-1 FOR PASSWORD HASHING! It is no longer considered secure — GordonM, May 09 '17 at 08:26
@Spurti - so if you get an error saving passwords with password_hash(), better to fix that error than revert to using an insecure sha1 (which is also giving you problems) — Mark Baker, May 09 '17 at 08:27
Though why do you believe you need to do `$password = htmlentities($_POST["password"]);` at all? — Mark Baker, May 09 '17 at 08:28
You don't munglulate the entered password by running htmlentities() on it; reduces entropy, changes the password from what the user entered, serves no useful purpose — Mark Baker, May 09 '17 at 08:32
@Spurti see [Don't escape password/ use any cleansing machenism](http://stackoverflow.com/questions/36628418/cleansing-user-passwords/36628423#36628423) Doing so changes what the user enters — Masivuye Cokile, May 09 '17 at 08:33
I tried $secure_password = password_hash($password, PASSWORD_BCRYPT) ; It fails to save on Mysql table. — swift_USer, May 09 '17 at 08:36
And that line gave you an error? Or saving it gave you an error? What error did you get? — Mark Baker, May 09 '17 at 08:37
@MarkBaker that is exactly what I asked him [here](http://stackoverflow.com/questions/43864666/sha1-for-password-hashing#comment74764726_43864666) — Masivuye Cokile, May 09 '17 at 08:39
while saving it gives me error , saying failed to insert into Table — swift_USer, May 09 '17 at 08:42
The response should also give you a reason why the save failed; check logs, ensure that you're getting the full reason; check column size in your table.... fix that error, but don't revert to using insecure password hashing — Mark Baker, May 09 '17 at 08:50
what makes you think that is caused by `password_hash()` at @Spurti — Masivuye Cokile, May 09 '17 at 08:50
If you can't save the output from password_hash() then it's not password_hash() that's at fault, it's either your schema or your insert/update statement. — GordonM, May 09 '17 at 11:35

score 7 · Accepted Answer · edited May 09 '17 at 09:28

7

First is first. NEVER USE SHA OR MCRYPT TO STORE YOUR PASSWORD.

EDIT : The password_hash() function generates a long password hash, so make sure that your column in the mysql is a VARCHAR of 500 space

All these useless practises is the root reason why almost many websites get hacked. To tackle the situation, php did a lot of research and then at last came with the most secure function called the password_hash(). I am not more onto explaining about password_hash() here as there are already many documents on the internet.

You can always hash a password like this

<?php

$securePassword = password_hash($_POST['password'], PASSWORD_DEFAULT);

$query = $db->query('INSERT INTO users ......');

?>

And, to verify the password, you can simply use this function

<?php

$passwordHash = $query['password']; //Password from database
$userPassword = $_POST['password']; //Password from form

if(password_verify($userPassword, $passwordHash)) {
    echo 'Password is correct, logged in!';
} else {
    echo 'Password is wrong, try again';
}

?>

And, answer for your question.

PLEASE DON'T USE SHA OR MCRYPT OR BCRYPT. IF YOU WANNA GET YOUR WEBSITE HACKED, THEN CONTINUE. OR USE password_hash()

The reason you don't get the hash genereated each time because the openssl_random_pseudo_bytes() generates random numbers each time. So each time, during execution, the function returns different numbers and you get your sha result wrong and thus giving a FALSE alert.

PLEASE, AGAIN. I BEG YOU TO USE password_hash() FUNCTION

For more information on password_hash() and password_verify() :

edited May 09 '17 at 09:28

Mike Doe

16,349
11
65
88

answered May 09 '17 at 08:41

xXAlphaManXx

161
1
6

You are welcome @Spurti. I am just 15yrs old. Any help? Comment down here :) – xXAlphaManXx May 09 '17 at 08:58
1

very impressive from a 15 year :) big up – Masivuye Cokile May 09 '17 at 09:14
Actually, password_hash is using bcrypt. Also, what's the relation between a website getting hacked and using "weak" (once again, it's not proved) hashing algorithm? And, maybe 500 is a bit too much, even the documentation recommand 255. – LoïcR May 09 '17 at 09:26
Well, I merely agree with you @Sakuto. But, as the test reveals, the password_hash() function is the most secure way of hashing password in this era (or at least in PHP7). And, about the relation matter, I agree with you :) – xXAlphaManXx May 09 '17 at 09:28
Password given to password_hash is truncated to 72 characters. And no, it won't give you 500 character long string, it will always be 60 characters in length. – Mike Doe May 09 '17 at 09:30
Hmm, I didn't know about that. Merely, to accept, I was kind of lazy to search the exact length of `password_hash` @mike – xXAlphaManXx May 09 '17 at 09:32
1

The recommendation is a VARCHAR(255). While the current hash is only 60 characters long, if the default algorithm changes with a new version of PHP, then that length might change – Mark Baker May 09 '17 at 09:38

sha1() for Password hashing

1 Answers1

Linked

Related