tags:

views:

601

answers:

4
+1  Q: 

Best hash algorithm to use in PHP/MYSQL

Which is the best recommended algorithm to use for encrypting passwords in php/mysql

+3  A: 

I would use the php's crypt() function because there will not be anyway for the password to be decrypted. When I need to check the newly entered password I just have to encrypt that one and compare the two results

phunehehe  2010-01-12 10:49:37
+2  A: 

There's a decent article here - short answer, use crypt(), and make sure you use a salt.

Dominic Rodger  2010-01-12 10:50:28
+2  A: 

SHA-256 is the best & most secure way to hash a password, and if that's not available then use SHA-1.

TravisO  2010-01-12 12:47:20
Are you saying SHA-512 is worse or less secure?
Core Xii  2010-10-18 18:44:50
+1  A: 

There are a lot of options - see the php hash docs for the complete list.

Speed is not an advantage, so using sha-512 or whirlpool is a good idea. You don't have to store the full length of the hash in mysql, for instance you could hash something as whirlpool, which is 128 characters long, and store only the first 64 characters for efficiency.

Alex JL  2010-01-12 12:53:32
Truncating a hash is very bad advice, and is absolutely unnecessary, as sha256 will return 64 hexadecimal digits, and it's designed for that length. Truncating any hash will lower security significantly! Also you are writing about 128 characters - 0-9,a-f. This is inefficient storage of binary values such as hash, as it's taking twice as much space, so 64-bit binary field would store your 128 characters and you don't need to truncate anything. Although it could be better for maintenance to have hash in more readable format, you can use base64 encryption.
praksant  2010-05-13 18:30:46
@praksant I'm not a crypto expert, but it seems to me that storing characters 32-96 of a whirlpool hash is good enough for the vast majority of applications. It does increase the chances of an attacker finding a collision, but still, this would be be a lot better than SHA1/MD5, which so many people still use. What improvement would it be to use base64?
Alex JL  2010-05-13 22:14:26
I'm no crypto expert either, but if there is a way to store whole hash in the same number of bytes, why should anyone make a sacrifice in security for nothing? I'm not saying it's not secure enough for many applications. It might be. And base64 encoding will store binary data at 6 bits per byte, hexadecimal form only 4 per byte. So with base64 you would need 86 bytes to store 512-bit hash instead of 128 bytes. In raw binary it would be 64 bytes.
praksant  2010-05-14 00:45:21

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL