How to hash password correctly in PHP?

(08-26-2017, 08:40 PM)Sikom Wrote:

[To see links please register here]

(08-26-2017, 12:48 PM)Pikami Wrote:

[To see links please register here]

(08-26-2017, 11:15 AM)Sikom Wrote:

[To see links please register here]

Would agree with that being beyond stupid


Is this a good solution @'ender'?

Hidden Content

You must

[To see links please register here]

or

[To see links please register here]

to view this content.

This is not a good solution.
Use BCRYPT man

Why is that not a good solution?

SHA was not created for hashing passwords, it was made for hashing files and other data for integraty. The thing is SHA is optimized for speed that means that it's easy to bruteforce bcrypt is slow so cracking takes fucking ages.

As @"Ecks" and others have mentioned, salting is imperative in hashing passwords (and Computerphile is great). Without salts, you'll have a repeat of the Adobe incident if your database is compromised. They didn't salt their hashes (so identical passwords had identical hashes) and stored password hints, so it was essentially a giant crossword puzzle for the hackers.

Additionally, DO NOT USE MD5 or any other algorithm with a documented, applied (i.e. not theoretical) attack. I don't care that MD5 is faster or takes up less space (which is pretty much negligible anyway); if you don't want to be vulnerable to proven attacks, don't use it. See the following links for explanations/data.

[To see links please register here]

[To see links please register here]

The following code should serve as a viable hashing process. See

[To see links please register here]

for a list of algorithms.

Hidden Content

You must

[To see links please register here]

or

[To see links please register here]

to view this content.

Use the "hash" and "salt" keys to access their respective values in the array returned from hash_passwd().

Finally, use

[To see links please register here]

to mitigate timing attacks when comparing hashes.

Edit: @"Pikami": SHA-256 and SHA-512 are viable for cryptographic use but you're correct in respect to SHA-1, which has been documented as cracked several times.

As well on the topic of security, databases, and SQL, always remember to sanitize your inputs or you run the risk of leaking the contents of your db, as well as having it deleted altogether.

(08-27-2017, 02:41 AM)Inori Wrote:

[To see links please register here]

As well on the topic of security, databases, and SQL, always remember to sanitize your inputs

Absolutely.

Sanitizing an SQL query based on user Input, Is of utmost Importance. It's appalling how many organizations (I come across every day), neglect this altogether.

PASSWORD_DEFAULT could change (Highly unlikely) so I suggest PASSWORD_BCRYPT

Hidden Content

You must

[To see links please register here]

or

[To see links please register here]

to view this content.

It takes the pass and hashes in md5 (already non reversible but easy to dictionary attack), then takes that and base64 encrpyts it using then bcrypts the base64 encrypt. (Overkill a bit)

Tbh you'd be fine with just password_hash($pass, PASSWORD_BCRYPT);

(08-28-2017, 06:56 PM)Mystique Wrote:

[To see links please register here]

It takes the pass and hashes in md5 (already non reversible but easy to dictionary attack), then takes that and base64 encrpyts it using then bcrypts the base64 encrypt. (Overkill a bit)

Tbh you'd be fine with just password_hash($pass, PASSWORD_BCRYPT);

Again, DO NOT USE MD5 IN PRODUCTION. As I outlined in my post, and as you said here, it's extremely vulnerable and should not be used.

It's useful to

[To see links please register here]

to help you learn about Timing Attacks so you don't get hacked due to a timing attack.
I would use bcrypt as it cannot be brute forced, broken with password dictionaries, or broken with rainbow tables.

this is how my passwords are encrypted

$unhashedPassword = "test";
$hashedPassword = password_hash($unhashedPassword, PASSWORD_BCRYPT);
$user->update("users", array("password"=>self::confused:anitize($hashedPassword), "id", $_SESSION['id']);

(01-31-2018, 05:43 PM)PhucedMODZ Wrote:

[To see links please register here]

this is how my passwords are encrypted

$unhashedPassword = "test";
$hashedPassword = password_hash($unhashedPassword, PASSWORD_BCRYPT);
$user->update("users", array("password"=>self::sanitize($hashedPassword), "id", $_SESSION['id']);

Make sure to tick the "Disable Smilies" checkbox next time or just use code tags for your code since it kinda sucks if it replaces some parts of your code with smilies.
I'd recommend using a salt for your passwords, just to make it a littlebit more secure. It's not really required but helps if you want to do it as secure as possible.