patternphpModerate
Password hashing and matching
Viewed 0 times
hashingandmatchingpassword
Problem
I took information from a series of posts and some prior knowledge to implement the following hashing algorithm.
However, there is a lot of talk about what implementations are secure and not secure. How does my method measure up? Is it secure? Are there more secure methods in PHP for hashing tokens and matching with tokens later on?
However, there is a lot of talk about what implementations are secure and not secure. How does my method measure up? Is it secure? Are there more secure methods in PHP for hashing tokens and matching with tokens later on?
public static function sha512($token,$cost = 50000,$salt = null) {
$salt = ($salt == null) ? (generateToken(32)) : ($salt);
$salt = '$6$rounds=' . $cost . ' . $salt . ' ;
return crypt($token, $salt);
}
public static function sha512Equals($token,$hash) {
return (crypt($token,$hash) == $hash);
}
public static function generateToken($length,$characterPool = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ') {
$token = '';
$max = mb_strlen($characterPool);
for ($i = 0;$i = $range);
return $min + $rnd;
}Solution
However, there is a lot of talk about what implementations are secure and not secure. How does my method measure up? Is it secure? Are there more secure methods in PHP for hashing tokens and matching with tokens later on?
Since you're specifically asking about security, I think reviewing your security instead of your code is a valid answer in this case.
The rule in Security-land is "don't do it yourself if others have done it better". It's basically a re-wording of "Use the right tool for the job" and "It isn't encryption until you've taken the time to fully understand the concepts behind the encryption code".
If you want to do hashing right, make sure you read this answer on Security.SE.
Basically, if you want to do it secure, use
PHP itself also recommends
If you don't want to be surprised by a changed default value, change
Note they have more examples with varying complexity on that site, but this should convey the basics. It's perfectly possible to hand a whole sleeve of options to the function.
As a last note, you want to handle tokens. Do not store tokens in your database, only store hashed tokens. See also Part II of this answer.
Update:
In the above I assume you're using PHP 5.5 or higher. See this answer for implementations when using a lower version.
Since you're specifically asking about security, I think reviewing your security instead of your code is a valid answer in this case.
The rule in Security-land is "don't do it yourself if others have done it better". It's basically a re-wording of "Use the right tool for the job" and "It isn't encryption until you've taken the time to fully understand the concepts behind the encryption code".
If you want to do hashing right, make sure you read this answer on Security.SE.
Basically, if you want to do it secure, use
bcrypt. Since PHP 5.5 can be called with password_hash.PHP itself also recommends
bcrypt. Their example usage states something like that in the comments:If you don't want to be surprised by a changed default value, change
PASSWORD_DEFAULT to PASSWORD_BCRYPT.Note they have more examples with varying complexity on that site, but this should convey the basics. It's perfectly possible to hand a whole sleeve of options to the function.
As a last note, you want to handle tokens. Do not store tokens in your database, only store hashed tokens. See also Part II of this answer.
Update:
In the above I assume you're using PHP 5.5 or higher. See this answer for implementations when using a lower version.
Code Snippets
<?php
/**
* We just want to hash our password using the current DEFAULT algorithm.
* This is presently BCRYPT, and will produce a 60 character result.
*
* Beware that DEFAULT may change over time, so you would want to prepare
* By allowing your storage to expand past 60 characters (255 would be good)
*/
echo password_hash("rasmuslerdorf", PASSWORD_DEFAULT)."\n";
?>Context
StackExchange Code Review Q#100889, answer score: 17
Revisions (0)
No revisions yet.