0

I'm trying to use base64 and hash_hmac sha512 to hash the passwords and works fine but I'm wonder if this is secure. I read a lot of almost same question and its seems to be to old.

This for a Website, all this is based on php also the password is storing in the database SQL.

Here is how I hash the password

$htmlTageC = "User pass";
$hash = password_hash(base64_encode(hash_hmac("sha512", $htmlTageC, true)), PASSWORD_DEFAULT);
#save in to DB

And here is how I compare the hash

$hash = base64_encode(hash_hmac("sha512", $password, true));
if (password_verify($hash, $rowsSesion['pass'])) {
}

So like I said This works fine on my test but I'm not sure if this is secure or should I try something else.

Diego
  • 17
  • 1
  • 4
    Define "secure". Not sure why you invent your own hashing mechanism, `password_hash` alone is enough. – Mike Doe Aug 30 '19 at 07:23
  • I don't think it's less safe to hash a password in base 64 than in any other encoding. And it can have some advantage if you want to support special characters in passwords, to work around the different ways different systems handle multi-byte characters, but that advantage is in the area of portability/compatibility, not security. Also, I don't think the extra hashing adds any value. – GolezTrol Aug 30 '19 at 07:27
  • 3
    I don't think what you're doing will make any difference to the security – Barmar Aug 30 '19 at 07:27
  • @GolezTrol Why would this be advantageous vis-à-vis "special characters" in any way…? – deceze Aug 30 '19 at 07:30
  • 1
    There's a theoretical chance that doing this *lowers* the entropy of your passwords and increases the chance of collisions, i.e. you may run the risk of a false password validating as the real password. Though that risk is negligible in practice I'd think. More than anything, it doesn't do anything to make passwords *more* "secure" than just a plain `password_hash`, so… WHY?! – deceze Aug 30 '19 at 07:32
  • @deceze Working with, for example multi-byte strings can be challenging for some, and more so when your script is part of a bigger system with multiple languages/platforms. Base64 eliminates that, and allows you to get those characters in an encoding that is easy and safe to pass around, and without loss of information. I agree with your (theoretical) loss of entropy when it comes to applying the extra hashing, but that doesn't apply to the Base64 conversion. Not saying one should always do this, but depending on the environment/situation it _can_ make handling a little bit easier. – GolezTrol Aug 30 '19 at 08:48
  • @GolezTrol If the base 64 encoding is applied as shown here, it does absolutely nothing. The only way it might make sense is if you have to pass the special characters over a non-binary-safe transport, like 7bit ASCII email. In any other situation it doesn't even really help with encodings, as you'll still need to deal with encodings once you've decoded the string. Using it as a way to not have to deal with encodings (e.g. during a database roundtrip) is… one way, but dealing with encoding properly is probably better. – deceze Aug 30 '19 at 08:56
  • Yeah, it doesn't really make sense to explicitly base64 the string in PHP, but I can imagine it makes sense to just take the encoded string as you receive it from the client, and hash that, rather than decoding it first. In the setup posted by OP it's indeed superfluous. – GolezTrol Aug 30 '19 at 09:45

1 Answers1

-1

The hashing algorithm you use depends on what data you wish to hash. If you are trying to hash passwords, you should use a very secure algorithm such as Argon2i. SHA-512 is only one step above MD5, which is very easy to brute-force in this age. On the other hand, if you are generating a hash for sessions, it would probably be appropriate to use a simpler hashing algorithm such as sha256. Using complicated hashing algorithms reduces speed so be sure to choose them carefully. Or you can use the password_hash() function in PHP. You should be fine if you are using an hmac, however, there is a small chance that a collision will occur and you will be able to gain access to an account you do not have access to, so this might not be a good idea.

https://www.php.net/manual/en/function.password-hash.php

DerpyCoder
  • 127
  • 1
  • 6
  • Some points: What's being done here is *hashing*, not *encryption*. You should never *encrypt* passwords unless you're writing a password manager. Further an HMAC is used, which is pretty secure even if using SHA as its component algorithm. For passwords you *want* a slow algorithm (within reason, obviously not so slow that it becomes unusable). – deceze Aug 30 '19 at 07:42
  • Encryption is two ways, while hashing is one way. – DerpyCoder Aug 30 '19 at 07:46
  • I have fixed the answer. – DerpyCoder Aug 30 '19 at 07:48