Secure hashing method [duplicate]

StackOverflow https://stackoverflow.com/questions/16536400

  •  29-05-2022
  •  | 
  •  

Question

In an MVC style web app, what's the best/most secure way of setting up a hashing method that's available globally?

I've just been doing this within my core controller that is extended by the rest of my scaffolding:

class Core{

    protected function salt($string=null){
        $salt = 'dsjflk32osdjshewy8327rtewyrkjfdhdsgnmbcxvsgfyew3287';
        $this->data = md5($salt.$string);

        return $this->data;
    }
}

Is this good practice, or should I be doing something different?

Was it helpful?

Solution

It depends on what you want to hash. If its just to create a unique identifier for larger/grouped datasets, then you could just use MD5. Using salt isnt realy needed then, but it cant harm you either.

If you want to use it for passwords, dont use a hashing function that is optimized for speed at all, because its not realy secure. For passwords I recommend Bcrypt and this question has a lot of information on why you should use it.

If you need the hashing function to disquise parameters, so they cannot be altered, an md5 hash would be sufficient aswell. Since you need to store the link between the hash and the actual value somewhere, they can try to bruteforce the md5 to change the parameter, but they still can only enter values you allowed and have in your link table.

OTHER TIPS

Look at openwalls phpass

http://www.openwall.com/phpass/

Its used in a lot of open source php projects

This is an alternate solution,

      $this->data = crypt($salt.$string);

It's not a good idea to use constant salt in hash. It's wise to use different salt per each hash. For this you can:

  1. Generate random salt and save it next to the hash in db

  2. (better) Password is always connected with some entity in database so you can pick some attribute that won't be changed (its ID or creation date) as a varying part of salt.

Use SHA512 for encryption, MD5 is not secure at all. Method i use to get it encrypted:

$salt= hash("SHA512", $myconstantvar);
$peper= hash("SHA512", $username);
$pass= hash("SHA512", mypass);

enc_pass= hash("SHA512", $salt.$pass.$peper);
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top