How do you add, “rounds” to a function like hash_hmac()?

Question

I have read from this article http://codahale.com/how-to-safely-store-a-password/ and it says using a salt isn't even safe against GPU brute force attacks. I don't want to get hacked and have passwords decrypted in a few weeks... So I read some more and the solution was bcrypt however I don't want to implement the phpass class, I like SHA-512.

However if one can add rounds to sha-512 to slow down GPU attacks... how can that be done? Does rounds mean iterations?

How do you add rounds to slow down sha512?

Answer 1

One of the most secure ways for storing password that I found is following:

<?php    
function createPasswordSalt($saltLength = 20) {
    return substr(md5(uniqid(rand(), true)), 0, $saltLength);
}

function createPasswordHash($password, $salt = null, $staticKey = null) {
    if ($staticKey === null) {
        $staticKey = "Some passphrase that will be only in your php script";
    }

    if ($salt === null) {
        $salt = self::createPasswordSalt(); 
    }       

    return hash_hmac('sha512', $password . $salt, $staticKey);

}

And I store in database password and hash...

So here I have used multiple layers of security. And one can only hack your passwords if he get your database and php scripts together. In any case if the hacker has your scripts he can hack any password you have in your database as he knows the scheme that you use for hashing passwords.

Answer 2

Increasing the rounds for SHA512 does not mean iterating over an already hashed value with the same hash function. This can actually LESSEN the security given, as after the first hash, your new 'password' has a reduced character set. See this link on security.stackexchange which explains partially, why.

I suggest NOT 'rolling your own' password securing function. Instead use a much more well researched and vetted solution such as PHPass.

On their site is also a very well written and in depth article explaining the security implications of password hashing and creation.