1

I have been reading a few encrytption articles on encrypting passwords in PHP and they all seem to be pretty inconclusive with reader comments saying "this is stupid you should do it like this". I have been messing around with encryption and have come up with this bearing in mind i have been using php for a number of days so you could say im a noob :)

<?php 
    $salt = uniqid(mt_rand(), true);
    $hashedPassword = sha1( $userPassword . $salt );
?>
Jim H.
  • 5,539
  • 1
  • 24
  • 23
Aretium
  • 19
  • 3
  • 2
    How do you plan to perform a lookup to authenticate the password when the salt is random? – Brendan Bullen Mar 20 '12 at 16:39
  • 1
    Prepare for a long read: http://www.openwall.com/articles/PHP-Users-Passwords + http://www.openwall.com/phpass/ – biziclop Mar 20 '12 at 16:41
  • Just to explain a bit better - By hashing the password, you are preventing the password from being stored in plain-text. Therefore, if your DB is compromised, the passwords aren't exposed. The method of hashing means you never compare the password itself. You always compare the hashed versions. Therefore, the hashing function needs to be reproducible which it isn't in this case because of the random salt – Brendan Bullen Mar 20 '12 at 16:42
  • 1
    Look at this thread "Secure hash and salt for PHP passwords" http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords – Alex L Mar 20 '12 at 16:56

2 Answers2

0

Encryption is different from Hashing.

Just pass your password into sha-1 or md5 (considered broken) , and you will be getting the hashedText (which is far more secure). However, it can't be reversed.

Shankar Narayana Damodaran
  • 68,075
  • 43
  • 96
  • 126
-3

You don't need salt. passing the password to sha1 is sufficiently secure. otherwise you have to store the salt for each user.

kasavbere
  • 5,873
  • 14
  • 49
  • 72