PHP salt passwords

Question

Ok so here is how We do passwords.

note We did change what we salt by.

<?


$PASSWORD = $_GET["password"];


$ranNUM = rand(965824, 957873488423748423486483);
$PASSWORD =  hash('sha512', $PASSWORD.$ranNUM.'MONKEY MONEY sad happy 7ab27t8g2hjq8tt 2g y8t 82 t2g edb t7e2gqjcb  t8egsjc byut87qebcjn 87ctyeqcb t78ye jscyt8ique bcg781eghjs btgq78 cbqjg78pqdgj d t87dqgjh bxauy fpqdgs,q vayupf d', TRUE);



for ($i = 1; $i <= $_GET['num']; $i++) {
$PASSWORD =  md5($PASSWORD);
$PASSWORD =  hash('sha512', $PASSWORD.$ranNUM.'MONKEY MONEY sad happy 7ab27t8g2hjq8tt 2g y8t 82 t2g edb t7e2gqjcb  t8egsjc byut87qebcjn 87ctyeqcb t78ye jscyt8ique bcg781eghjs btgq78 cbqjg78pqdgj d t87dqgjh bxauy fpqdgs,q vayupf d', TRUE);
$PASSWORD =  hash('sha512', $PASSWORD.$ranNUM.'MONKEY MONEY sad happy 7ab27t8g2hjq8tt 2g y8t 82 t2g edb t7e2gqjcb  t8egsjc byut87qebcjn 87ctyeqcb t78ye jscyt8ique bcg781eghjs btgq78 cbqjg78pqdgj d t87dqgjh bxauy fpqdgs,q vayupf d', TRUE);
$PASSWORD =  hash('sha512', $PASSWORD.$ranNUM.'MONKEY MONEY sad happy 7ab27t8g2hjq8tt 2g y8t 82 t2g edb t7e2gqjcb  t8egsjc byut87qebcjn 87ctyeqcb t78ye jscyt8ique bcg781eghjs btgq78 cbqjg78pqdgj d t87dqgjh bxauy fpqdgs,q vayupf d', FALSE);
$PASSWORD =  hash('sha512', $PASSWORD.$ranNUM.'MONKEY MONEY sad happy 7ab27t8g2hjq8tt 2g y8t 82 t2g edb t7e2gqjcb  t8egsjc byut87qebcjn 87ctyeqcb t78ye jscyt8ique bcg781eghjs btgq78 cbqjg78pqdgj d t87dqgjh bxauy fpqdgs,q vayupf d', TRUE);
$PASSWORD =  hash('sha512', $PASSWORD.$ranNUM.'MONKEY MONEY sad happy 7ab27t8g2hjq8tt 2g y8t 82 t2g edb t7e2gqjcb  t8egsjc byut87qebcjn 87ctyeqcb t78ye jscyt8ique bcg781eghjs btgq78 cbqjg78pqdgj d t87dqgjh bxauy fpqdgs,q vayupf d', TRUE);
$PASSWORD =  hash('sha512', $PASSWORD.$ranNUM.'MONKEY MONEY sad happy 7ab27t8g2hjq8tt 2g y8t 82 t2g edb t7e2gqjcb  t8egsjc byut87qebcjn 87ctyeqcb t78ye jscyt8ique bcg781eghjs btgq78 cbqjg78pqdgj d t87dqgjh bxauy fpqdgs,q vayupf d', TRUE);
$PASSWORD =  md5($PASSWORD);
$PASSWORD =  hash('sha512', $PASSWORD.$ranNUM.'MONKEY MONEY sad happy 7ab27t8g2hjq8tt 2g y8t 82 t2g edb t7e2gqjcb  t8egsjc byut87qebcjn 87ctyeqcb t78ye jscyt8ique bcg781eghjs btgq78 cbqjg78pqdgj d t87dqgjh bxauy fpqdgs,q vayupf d', TRUE);
$PASSWORD =  hash('sha512', $PASSWORD.$ranNUM.'MONKEY MONEY sad happy 7ab27t8g2hjq8tt 2g y8t 82 t2g edb t7e2gqjcb  t8egsjc byut87qebcjn 87ctyeqcb t78ye jscyt8ique bcg781eghjs btgq78 cbqjg78pqdgj d t87dqgjh bxauy fpqdgs,q vayupf d', FALSE);
$PASSWORD =  hash('sha512', $PASSWORD.$ranNUM.'MONKEY MONEY sad happy 7ab27t8g2hjq8tt 2g y8t 82 t2g edb t7e2gqjcb  t8egsjc byut87qebcjn 87ctyeqcb t78ye jscyt8ique bcg781eghjs btgq78 cbqjg78pqdgj d t87dqgjh bxauy fpqdgs,q vayupf d', TRUE);
$PASSWORD =  md5($PASSWORD);
$PASSWORD =  hash('sha512', $PASSWORD.$ranNUM.'MONKEY MONEY sad happy 7ab27t8g2hjq8tt 2g y8t 82 t2g edb t7e2gqjcb  t8egsjc byut87qebcjn 87ctyeqcb t78ye jscyt8ique bcg781eghjs btgq78 cbqjg78pqdgj d t87dqgjh bxauy fpqdgs,q vayupf d', TRUE);
$PASSWORD =  hash('sha512', $PASSWORD.$ranNUM.'MONKEY MONEY sad happy 7ab27t8g2hjq8tt 2g y8t 82 t2g edb t7e2gqjcb  t8egsjc byut87qebcjn 87ctyeqcb t78ye jscyt8ique bcg781eghjs btgq78 cbqjg78pqdgj d t87dqgjh bxauy fpqdgs,q vayupf d', FALSE);
$PASSWORD =  hash('sha512', $PASSWORD.$ranNUM.'MONKEY MONEY sad happy 7ab27t8g2hjq8tt 2g y8t 82 t2g edb t7e2gqjcb  t8egsjc byut87qebcjn 87ctyeqcb t78ye jscyt8ique bcg781eghjs btgq78 cbqjg78pqdgj d t87dqgjh bxauy fpqdgs,q vayupf d', TRUE);
$PASSWORD =  hash('sha512', $PASSWORD.$ranNUM.'MONKEY MONEY sad happy 7ab27t8g2hjq8tt 2g y8t 82 t2g edb t7e2gqjcb  t8egsjc byut87qebcjn 87ctyeqcb t78ye jscyt8ique bcg781eghjs btgq78 cbqjg78pqdgj d t87dqgjh bxauy fpqdgs,q vayupf d', TRUE);

print $PASSWORD;
print "<br>";

}

//print $PASSWORD;
?>  

What we do is we send a num say 7 along with the password then we run the encryption 7 times

along with the random number for that user (which is saved in another DB) NOT ON THE SAME SERVER

we then have what the password should be.

What do you think is this over kill?

for e.g 123 running twice would get

íaªyå`ˆsœA²„†N¸jø¦žÃïªd*hÂ?‘\e½s­&žÉ:Ñl6DïƒÀ`ß,¢‹HÎÌ(üBìð6

to make this even safer you could have random paragraphs for each one.

You would need to have it saved somewhere, but would be great if you could just scan a google or bing or any site, and get a random sentence from there site.

Please tell me your thoughts.

Answer 1

It's an overkill, and I'm not sure it's theoretically sound.

One sound method of making your (salted) password a pain to bruteforce is RSA's PBKDF2.

Here's a PBKDF2 PHP implementation.

You may also be interested in Blowcrypt (similar intent, but using the blowfish algorithms) and Scrypt (a nasty little fellow that can be told how much memory you wish the attacker to waste over bruteforcing your password)