password security in PHP

Question

What method would you call safest and most secure? I took these snippets off php.net. I'm just wondering because people posted their own and I just couldn't catch on to understand why some are the way they are... Can someone help me out and tell me a little more about these? Which would be the most secure and why?

1.

<?php
$hash = md5($salt1.$password.$salt2);
?>

2.

<?php
function eliteEncrypt($string) {
    // Create a salt
    $salt = md5($string."%*4!#$;\.k~'(_@");

    // Hash the string
    $string = md5("$salt$string$salt");

    return $string;
}
?>

3.

<?php
define ('SALT_ONE', 'some_random_123_collection_&$^%_of_stuff');
define ('SALT_TWO', 'another_random_%*!_collection_ANbu_of_stuff');

$password = 'dragon';

function generate_encrypted_password($str) {
$new_pword = '';

if( defined('SALT_ONE') ):
   $new_pword .= md5(SALT_ONE);
endif;

$new_pword .= md5($str);

if( defined('SALT_TWO') ):
   $new_pword .= md5(SALT_TWO);
endif;

return substr($new_pword, strlen($str), 40);
}

echo generate_encrypted_password($password);
?>

4.

<?
function enchsetenev($toencode,$times)
{
    $salt = 's+(_a*';
    for($zo=0;$zo<$times;$zo=$zo+1)
    {
        $toencode = hash('sha512',salt.$toencode);
        $toencode = md5($toencode.$salt);
    }
    return $toencode;
}

?>

5.

<?php
$hash = $password . $salt;

for ( $i = 0; $i < 10000; $i++ ) {
  $hash = md5( $hash );
}

echo $hash;
?>

Answer 1

1. It is a basic example of what we want, a salt added to the password
2. It is the same example but with the salt generation part.
3. A different method for salting, but still pretty equivalent
4. There's absolutely no point in this over complicated example, hashing with two different hash method many times absolutely don't improve security.
5. Like already said, there's absolutely no point to perform 10000 times a hash.

If you change the first example to :

<?php
  $hash = hash('sha256', $salt1.$password.$salt2);
?>

this will be secure enough for 99% of the application.

The only question is how to generate the salt. I recommend a fixed salt ($salt2) and on salt generated for each user ($salt1) which is stored in the database along the password.

This way you're pretty secure against rainbow table attack even if someone retrieves the content of your database.

Answer 2

A better option is to use something other than md5, check here for a previously answered question relating to this.

Answer 3

there is no standard good answer for this. What I do know is that security and speed has to be balanced. You could AES encrypt every information but would that be feasible? To answer your question MD5 (which is one way encrypt) plus SALT (a really random string) is considered a good standard of security. It just happens to be fastest and secure enough.

If you try to implement your own encryption and what not it will be like that magic trick where you entangle the wire too many times and yet it comes undone with wrist slap. So go for SALT+MD5 unless you want to theorize and thesis-fy the idea.

Answer 4

<?php
$hash = md5($salt1.$password.$salt2);
?>

This one I think suits most of the purpose so I will explain it . Reason there are two salt are because lets say $salt1 is unique to every username hence its an column in the user table (a random string generated when user registers), $salt2 is stored on filesystem somewhere in config.ini file which was created when the application was installed and its same for all users . Now to guess the password hacker will need $salt1 and $salt1 , he can have access to salt1 through sql injection , but not have access to filesystem where salt2 is sotred inside config.ini hence double protection .

Answer 5

Is it just 5 different ways to do almost the same? I think the learning objective here is to understand the importance of salting passwords. The best way to salt is to use as much salt as possible and the salt string includes as many crazy characters as possible.