HiveBrain v1.2.0
Get Started
← Back to all entries
patternphpModerate

Hashing passwords in PHP

Submitted by: @import:stackexchange-codereview··
0
Viewed 0 times
hashingphppasswords

Problem

When hashing a password, I understand it is best not to use functions such as SHA1 or MD5.

This function is working fine and I want to know if it can be improved to increase site security.

class safePassword
{
    public static function makeSafe($password)
    {
        $salt = "mySalt";
        $hash = hash("sha256", $salt.".".$password);
        return $hash;
    }
}

Solution

I understand it is best not to use functions such as SHA1 or MD5.

That is true. But sha256 is not that much better.

Problem: simple sha256

There are basically two problems with your approach:

  • you don't use a user-based salt, only a site-based salt (also called a pepper).



  • you only use simple sha256, which is way too fast.



These are serious issues.

The main problem with missing user-based salts is that an attacker only needs to hash each password once and can then compare it to the hashes of all users, instead of needing to hash the password with each salt. This speeds up cracking considerably.

The problem with the second point should be obvious. Hardware has become quite powerful over the years, and simple hashing just doesn't hold up anymore (and hasn't for quite a while). Here for example is a benchmark of 3090.3 Million guesses per second on a pretty standard PC.

If your database is ever leaked - for example because of a Code Execution or SQL Injection vulnerability - it will be quite easy for an attacker to crack a good percentage of your users passwords.

Solution: Bcrypt

What you want to use is bcrpyt. With PHP, this can be done via password_hash (which is also the first result when googling "php hash password").

Example:

// hash
$hash = password_hash("password", PASSWORD_DEFAULT);

echo $hash;

// check
echo "" . password_verify("password", $hash);


User-based salts are managed automatically for you, and it uses multiple rounds of hashing, slowing the process down, and thus increasing the resources an attacker needs to crack your hashes.

You can still use a pepper with bcrypt if you want to.

For more information about password hashing in general see here.

Misc

  • makeSafe is not a good function name. Make safe how? hash would be more accurate.

Code Snippets

// hash
$hash = password_hash("password", PASSWORD_DEFAULT);

echo $hash;

// check
echo "<br>" . password_verify("password", $hash);

Context

StackExchange Code Review Q#104818, answer score: 17

Revisions (0)

No revisions yet.