patternphpModerate
Hashing passwords in PHP
Viewed 0 times
hashingphppasswords
Problem
When hashing a password, I understand it is best not to use functions such as SHA1 or MD5.
This function is working fine and I want to know if it can be improved to increase site security.
This function is working fine and I want to know if it can be improved to increase site security.
class safePassword
{
public static function makeSafe($password)
{
$salt = "mySalt";
$hash = hash("sha256", $salt.".".$password);
return $hash;
}
}Solution
I understand it is best not to use functions such as SHA1 or MD5.
That is true. But sha256 is not that much better.
Problem: simple sha256
There are basically two problems with your approach:
These are serious issues.
The main problem with missing user-based salts is that an attacker only needs to hash each password once and can then compare it to the hashes of all users, instead of needing to hash the password with each salt. This speeds up cracking considerably.
The problem with the second point should be obvious. Hardware has become quite powerful over the years, and simple hashing just doesn't hold up anymore (and hasn't for quite a while). Here for example is a benchmark of 3090.3 Million guesses per second on a pretty standard PC.
If your database is ever leaked - for example because of a Code Execution or SQL Injection vulnerability - it will be quite easy for an attacker to crack a good percentage of your users passwords.
Solution: Bcrypt
What you want to use is bcrpyt. With PHP, this can be done via
Example:
User-based salts are managed automatically for you, and it uses multiple rounds of hashing, slowing the process down, and thus increasing the resources an attacker needs to crack your hashes.
You can still use a pepper with bcrypt if you want to.
For more information about password hashing in general see here.
Misc
That is true. But sha256 is not that much better.
Problem: simple sha256
There are basically two problems with your approach:
- you don't use a user-based salt, only a site-based salt (also called a pepper).
- you only use simple sha256, which is way too fast.
These are serious issues.
The main problem with missing user-based salts is that an attacker only needs to hash each password once and can then compare it to the hashes of all users, instead of needing to hash the password with each salt. This speeds up cracking considerably.
The problem with the second point should be obvious. Hardware has become quite powerful over the years, and simple hashing just doesn't hold up anymore (and hasn't for quite a while). Here for example is a benchmark of 3090.3 Million guesses per second on a pretty standard PC.
If your database is ever leaked - for example because of a Code Execution or SQL Injection vulnerability - it will be quite easy for an attacker to crack a good percentage of your users passwords.
Solution: Bcrypt
What you want to use is bcrpyt. With PHP, this can be done via
password_hash (which is also the first result when googling "php hash password").Example:
// hash
$hash = password_hash("password", PASSWORD_DEFAULT);
echo $hash;
// check
echo "" . password_verify("password", $hash);User-based salts are managed automatically for you, and it uses multiple rounds of hashing, slowing the process down, and thus increasing the resources an attacker needs to crack your hashes.
You can still use a pepper with bcrypt if you want to.
For more information about password hashing in general see here.
Misc
makeSafeis not a good function name. Make safe how?hashwould be more accurate.
Code Snippets
// hash
$hash = password_hash("password", PASSWORD_DEFAULT);
echo $hash;
// check
echo "<br>" . password_verify("password", $hash);Context
StackExchange Code Review Q#104818, answer score: 17
Revisions (0)
No revisions yet.