0

I recently got in trouble with saving user data in a MySQL-Database and i looked for methods in hashing Passwords to save them in a DB.

Til Yesterday i saved them unsalted as a md5-Hash, but google told me to stop immediately with it. So i changed my Method.

I add to the User-Password his First/Last name and his Username as salts and hash them with SHA512 in PHP and save it in the MySQL-DB.

But i looked for other, more common uses for that and like many sites tole me, SHA is amde for fast-Hashing and it isnt secure enough for Passwords, i should better use things like bcrypt.

So my question is, is sha512 with salts really that bad at Password-Hashing, so they get cracked easily with Rainbow-Tables or simple brute-Force? I thought sha512 is pretty safe

And how do i use the bcrypt-hashfunction in PHP? I didnt found a solution, that worked for me. Curently on my register.php i safe them like that: 

$passwordHash = hash('sha512', $password . $vName . $nName . $username);
$result = mysqli_query($connect, "Insert into Accounts Values ('$username', '$passwordHash', '$email', '$vName', '$nName', $zip, '$ort', '$street', $hNr, '$telVor', '$tel')");

But how do i use bcrypt?

Thx!

Schesam
  • 583
  • 5
  • 19
  • 1
    Use `password_hash()`, that's exactly what it's for. – Barmar Jul 09 '17 at 14:30
  • Yes "is sha512 with salts really that bad at Password-Hashing" is really not secure, don't do it. As Barmar states use `password_hash()` and `password_verify()`. The reason is not the security of SHA512 vs MD5 it is the amount of CPU utilization required and there is little difference between the two. What is needed is ~100 ms of CPU utilization to make an attacker's work to slow to be worthwhile at ~100 ms per brute force attempt.. – zaph Jul 09 '17 at 15:31

0 Answers0