1

I just made a hash for my password to secure my login script because i'm storing the username and password into a cookie and i want to know how much this hash is secured and if it can be unbreakable.

this is the hash function :

    public static function hash_password($password) {
            /* hashing the password */
            $hash     = hash('sha512', $password);
    
            /* Iterating the hash a few times */
            for($i = 1;$i <= 1000;$i++) {
                $hash = hash('sha512', $hash);
            }
    
            return $hash;
   }

then $_POST['password'] = hash_password($_POST['password']);

password : onlytest 
password in hash form : edf566f3f02a6b083db5318d77d06c1fa61e51783f097a7fff84767303832f72489fcf08764f9d4ba6c8d6f4e53c577084d586b2b08c60fbdefdcde2248fbbec
MimoudiX
  • 612
  • 3
  • 16
  • You're storing the hash in a public location and it isn't salted so I presume you just need a farm of GPUs. What I'm wondering is what problem you're trying to solve, because storing the actual password is only necessary in very specific scenarios. – Álvaro González Jan 06 '19 at 18:53
  • @ÁlvaroGonzález i'm storing the password into a cookie for remember me feature, with what can i salt a password ? because username can be changed. – MimoudiX Jan 06 '19 at 18:55
  • 2
    Don't roll your own password hashing functions. Use the native `password_hash()` function instead. – rickdenhaan Jan 06 '19 at 18:57
  • For that, I suggest a random token. Check [What is the best way to implement “remember me” for a website?](https://stackoverflow.com/questions/244882/what-is-the-best-way-to-implement-remember-me-for-a-website) for some ideas. – Álvaro González Jan 06 '19 at 18:58

3 Answers3

3

Short answer is you can't Read up on this for some short infomration

http://php.net/manual/en/function.password-hash.php

At the moment password_hash() is pretty much the best that you can get as far as I'm aware, if you could break it from a simple "Stackoverflow" question , it wouldn't really be a good hash now would it.

EDIT

You can't break the hash BUT there is always BRUTE force attack , which means your password will be tested against all kinds of passwords and sooner or later it will guess it , unless your user has a good password or you have a system in place that locks the login form for lets say 1-2 mins before re-entering again

This dude has a good video on it, its a decent watch https://www.youtube.com/watch?v=7U-RbOKanYs

Frosty
  • 299
  • 5
  • 31
  • Thanks, i will try forcing users to enter a huge caracteres in password like "@#_" – MimoudiX Jan 06 '19 at 19:00
  • I'm not a security expert but I'm pretty sure that using password_hash() in cookies weakens the overall mechanism, esp. if the site is not using SSL: the attacker doesn't need to compromise the server and steal the database, he can possibly get the information just by scanning a public wifi. – Álvaro González Jan 06 '19 at 19:01
  • @ÁlvaroGonzález I'm mainly talking about the password_hash() itself not really mentioning the cookies, but yeah storing valuable info in cookies is quite a bad idea – Frosty Jan 06 '19 at 21:18
2

Don't send passwords in a cookie, also not hashed or encrypted. Use a token instead:

  1. Send username and (plaintext) password over a secured channel
  2. Server responds with a token, which is basically a large good random number
  3. Use the token in all subsequent calls

This way, you can delete the token and disable the session, user will then need username and password again to log in. Also the "remember me" feature can be built this way.

That being said, to answer your question: nothing is unbreakable.

Bart Friederichs
  • 33,050
  • 15
  • 95
  • 195
1

You might be interested in viewing this post on the pros and cons of "double hashing" a password and this FAQ on password hashing.

Hashing with some algorithm al a password, and re-hashing with the al algorithm the hash result is more likely to reduce password entropy. This means that different passwords might give the same hash when processed by hash_password($password).

Instead of implementing your own hashing functions, you should use the native password API whenever possible (starting from PHP 5.5 onwards). Its key function, password_hash, generates a strong salt to be used with the hash and is secure against most brute-force attacks.

EDIT: you might want to give more entropy (= randomness) to your hashed passwords by computing the SHA-512 value of the password + a random salt, and then password_hashing this hash. The final PHP code would look like this:

function generateSalt() {
    // Cryptographically secure function to generate strings
    return random_bytes(64 /* use 64 bytes */);
}
/**
 * Generates a strong SHA-512 hash, for use by passwordSecureHash()
 * @param string $password the plain-text password
 * @param string $salt the salt to generate the hash, to be kept at ALL COSTS - this function will not do it for you!
 * @return string the computed hash.
 */
function sha512(string $password, string $salt) {
    return hash('sha512', $password . $salt);
}
/**
 * Returns the final, secure password hash for storage in database server.
 * @param string $hash the SHA-512 resulting from the sha512() call.
 * @return string the hashed password.
 */
function passwordSecureHash(string $hash) {
    if(strlen($hash) !== 128) {
        // Ensure the SHA-512 hash has 128 characters
        return FALSE;
    }
    // Always let PHP generate the final password salt for you
    return password_hash($hash);
}
Maxime Launois
  • 928
  • 6
  • 19