DISABLE ADBLOCK

ADBlock is blocking some content on the site

ADBlock errore

Php Mysql Secure Password Store [duplicate]

StackOverflow https://stackoverflow.com/questions/13216791
  •   php  -  hash
  •  | 
  •  
  •  | 
  •   ( words)

Question

Possible Duplicate:
How do you use bcrypt for hashing passwords in PHP?

What is the secure way or hash function to store password to Mysql Database? Now I'm using this sha1() function to store my password to DB with following code. Is it really Safe?

<?php
$pass = 123456789;
$pass = sha1($pass);
echo $pass;
?>

Thanks for your advise.

Update

I see salt is something like this.

$salt = "this is a salt";
$password = 'this is an password';
$hash = sha1($salt.$password);

So, Can i use any number/random number/something to $salt value? After that is it Now SAFE?

Solution 2

The best (and recommended) way of hashing passwords in PHP is using crypt().

Here's a simple example from the PHP documentation:

$hashed_password = crypt('mypassword');

// now store $hashed_password in the database

Later, to check an entered password (assuming $user_input is the entered password):

// retrieve $hashed_password from the database, then:

if (crypt($user_input, $hashed_password) == $hashed_password) {
   echo "Password verified!";
}

Note that in this example (above) the salt is automatically generated when the password is first hashed. This is dangerous and should be avoided. A pseudo-random salt should be provided and could be generated like so:

$salt = substr(str_replace('+', '.', base64_encode(pack('N4', mt_rand(), mt_rand(), mt_rand(), mt_rand()))), 0, 22);

For a much better explanation, see the Stack Overflow question linked by citricsquid.

OTHER TIPS

The SHA* variants should not be used for password hashing. Use the Blowfish algorithm and the crypt() function.

phpass is a PHP password hashing library that can simplify this for you.

You could also do more research on the topic and write some code to generate your own Bcrypt/Blowfish compatible Salts and use crypt() directly, rather than using the phpass library.

You cannot use a random value for salt, since you wont be able to compare the inputed password and the one stored in database afterwards.

You encryption is mainly ok, but you can go real crazy if you want...

<?php
 $salt = "fF#$GGG$T@#4309g9jERGWrgrew@GH";
 $pepper = "vV@@#V90Ù39009gfjigwjorn)(";
 $pass = "123456789";
 $pass = $salt.$pass.$pepper;
 for ($i=0;$i<40;$i++){
    $pass = hash("sha256", $pass)
 }

 echo $pass;

?>

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow