What way is the best way to hash a password? [duplicate]

Question 1

Use this library which provides forward compatibility with the password_* functions.

Example usage :

require_once("password.php"); // imports the library, assuming it's in the same directory as the current script

$password = "HelloStackOverflow"; // example password

$hash = password_hash($password, PASSWORD_BCRYPT); // here's the hash of the previous password

$hash = password_hash($password, PASSWORD_BCRYPT, array("cost" => 10)); // you can set the "complexity" of the hashing algorithm, it uses more CPU power but it'll be harder to crack, even though the default is already good enough

if (password_verify($password, $hash)) { // checking if a password is valid
    /* Valid */
} else {
    /* Invalid */
}

Question 2

PHP comes with built-in hash algorithms such as MD5, SHA1 etc. However, from a security perspective, it's not recommended to use these functions to hash passwords as they can be easily broken via bruteforce attack using tools like Passwordpro.

It's better if you use salting as a way to secure your passwords. Below is an example :

$password = 'yourpassword';
$salt = 'randomstr!ng';
$password = md5($salt.$password);

An even better way of generating the salt is by hashing it first:

$password = 'yourpassword';
$salt = sha1(md5($password));
$password = md5($password.$salt);

The advantage is that this way the salt value is random and it changes for each password, making it nearly impossible to break.

Question 3

Take a look at http://php.net/manual/de/function.crypt.php

You should consider using salts to prevent rainbow table attacks You can find a tutorial here: http://www.yiiframework.com/wiki/425/use-crypt-for-password-storage/

Question 4

I tink that the best thing is using a library to manage passwords.
If you cannot use php 5.5 you can try this library that works for php5.3+, have a look at this project:

http://rchouinard.github.io/phpass/