0

Excuse my knowledge because I am still learning to code on my own and not an expert.

I use crypt with blown fish $2a$10$, My secured password will show this for instance, $2a$10$137276602359697140be5eISqj55.fGmbUo4PEZoLRpWmxspLiWJK

As it starts with $2a$10 they will know the way I used, will it affect me? Can they->hackers even do anything with my secured password as I use random salt/key hashed and encrypted? (Rainbow tables).

Because I got scared after I saw this Password IMAGE

Finally, last question. Heard that loops make it longer/slower to get password results during an attack but, what does it do to $hash? Maximum loop limit ? Does it have any side-affects?

for($i = 0; $i < 100000; $i++) {
$hash = crypt('sha512', $hash);

}

Thanks for reading, every answer will be much appreciated. Best regards, Mr Pro Pop!

1 Answers1

3

Behind this wall of text what I understood is that you are looking for the proper way to encode a password for storage in database.

Use the password_hash() and password_verify() functions to properly build a hash.

They rely on the BCrypt algorithm by default, which implements natively a salt plus a repetition of encoding on an exponential level, ensuring that passwords are slower to crack.

Don't bother going complex ways, this road is properly standard in PHP and you should stay on this road.

Edit:

Note for your updated question: yes for the attackers knowing the algorithm helps a little bit, but it is not preventing any attack to remove that portion of the hash.

As soon as your hashes are leaked, the real problem is on why are they leaked. Most probably any modification you perform to the hash will be written in the source code and can't be a real secret.

Stay on the road, stay safe.

Fabien
  • 4,862
  • 2
  • 19
  • 33
  • 1
    I remember the PHP4 days when you had to hash and salt your own passwords, that was so much more interesting .... but this works too +1, that all pales compared to PHP4 constructors, you old timers know what I mean..... – ArtisticPhoenix Jul 15 '17 at 03:27
  • -Let's encode the passwurdz guyz!!! -Yeah, use BASE64 it's so sekurreed! – Fabien Jul 15 '17 at 03:33
  • lol, I typically used `hash('sha256', $salt1.$password.$salt2)`, although I admit I did use md5 a few times but that was 10+ years ago before I knew better. Now ( at my current job ), we just use a Membership platform at work, so I just let them take care of it, and I code the good stuff.... Like Template Lexers... – ArtisticPhoenix Jul 15 '17 at 03:35
  • Thanks but what do you mean by this "Most probably any modification you perform to the hash will be written in the source code and can't be a real secret" –  Jul 15 '17 at 04:32