This question already has an answer here:
-
Secure hash and salt for PHP passwords
14 answers
I'm working on a website that should be very safe for the users, so I need the hash the passwords. Usually I'm using the MD5, but I read that it doesn't safe anymore. So I tried PHPass, but then I read that it also has been cracked. So I tried password_hash()
of PHP 5.5, but I use HostGator, and the PHP there is 5.4. Also I want to be able to add salt without knowing it (like time() * userid()
), like in the password_hash()
.
The hash strength is very important to me because I want to be 100% sure that my users are safe. So is there a way that very safe and not something like SHA that will be hacked soon?
Use this library which provides forward compatibility with the password_*
functions.
Example usage :
require_once("password.php"); // imports the library, assuming it's in the same directory as the current script
$password = "HelloStackOverflow"; // example password
$hash = password_hash($password, PASSWORD_BCRYPT); // here's the hash of the previous password
$hash = password_hash($password, PASSWORD_BCRYPT, array("cost" => 10)); // you can set the "complexity" of the hashing algorithm, it uses more CPU power but it'll be harder to crack, even though the default is already good enough
if (password_verify($password, $hash)) { // checking if a password is valid
/* Valid */
} else {
/* Invalid */
}
PHP comes with built-in hash algorithms such as MD5, SHA1 etc. However, from a security perspective, it's not recommended to use these functions to hash passwords as they can be easily broken via bruteforce attack using tools like Passwordpro.
It's better if you use salting as a way to secure your passwords. Below is an example :
$password = 'yourpassword';
$salt = 'randomstr!ng';
$password = md5($salt.$password);
An even better way of generating the salt is by hashing it first:
$password = 'yourpassword';
$salt = sha1(md5($password));
$password = md5($password.$salt);
The advantage is that this way the salt value is random and it changes for each password, making it nearly impossible to break.
Take a look at http://php.net/manual/de/function.crypt.php
You should consider using salts to prevent rainbow table attacks
You can find a tutorial here: http://www.yiiframework.com/wiki/425/use-crypt-for-password-storage/
I tink that the best thing is using a library to manage passwords.
If you cannot use php 5.5 you can try this library that works for php5.3+, have a look at this project:
http://rchouinard.github.io/phpass/