PHP password security - whats left?

Question

What to use for password security ?

Being a newbie at this (and coding in general), I've been looking at all sorts of different tutorials, articles etc. about PHP and security concerning passwords. This resulted in all sorts of different solutions, when using a mysql db and php. The unfortunate things is, that all of these different articles and / or tutorials seem to contradict one another. Some say md5 is fine for the "mainstream" user, others recommend sha1 or crypt(). Now, as far as I can see, only crypt() seems like a "viable" solution. Using md5 doesn't exactly seem safe, having all sorts of different online decryption sites. Using sha1, even with a salt, doesn't seem any better. A short demonstration is given here:

http://www.youtube.com/watch?v=lrGMxH8WNZ8

All of this leads me to my question. What would be the best solution for a mysql driven forum site ? It doesn't, in principle at least, contain any "personal information" (couldn't remember the correct english term). Is it necessary to make some SSL solution or......?

Thank you.

Answer 1

Everyone is going to tout bcrypt which is solid. but i prefer the new PHP5 API password hashing function which is standard in php 5.5.

read about it here

It is super easy and from what I can tell super secure.

Just set up a 60 length varchar in your db and your set

$hash = password_hash($password, PASSWORD_BCRYPT);

and to verify:

if (password_verify($password, $hash)) {
    // password valid!
} else {
    // wrong password :(
}

Since not all hosting servers offer 5.5 you can get the class here

As far as SSL goes, it is recommended.

Answer 2

md5 and sha are not to be used really - http://www.php.net/manual/en/faq.passwords.php#faq.passwords.fasthash

Also, whether you store boring non sensitive info or government secrets, you should use the most secure methods. What if your site plan changes once all this is implemented and suddenly you DO need to store sensitive data?
What if someone hacks your non-sensitive database through insecure methods and wipes everything? It may be nothing more than a pain losing all that data and having to restore form a back up, but for me this in itself is enough.
Also, as someone has hacked your DB, what if they return later and do it again, you'll end up having to update your login methods anyway.

Adding to that, why not learn best practice from the start then any site you do is best security approach? Why learn simple and not-so-secure methods for one site to learn a different way for another later?
Learn best practice, always, and always use it then you only need to learn and use one method throughout all your code and thus from practice makes you more efficient and knowledgeable with it.

A combination of crypt and Blowfish is pretty much the way I go now. It takes user password from registration and spits out a hashed string and unique salt together, always same char length so you can manage it in a database easily.
All users salts are different so someone obtaining all your DB data and working out how one password salt is formed, which is barely possible, gets only one password and in no way the method to obtain others.

Then when user logs in, you simply use the built in function to check their inputted password from login form to the one in the DB and the library works out the hash/salt/etc and checks the two. If match log them in, otherwise not.