What is best for storing passwords? Should I be Encrypting or hashing password for you users table ?
What do you prefer, and why? Could you please provide an example of secure password storage.
+3
A:
Considering passwords generally don't have to be checked / hashed / whatever that often (they are when one is logging in, and registrering ; but that's pretty much it), speed is generaly not much of a concern : what matters is security.
What's generally done is :
- when a user registers, he types his (new) password)
- that password is salted + hashed, and the result is stored in database
- Then, when a user wants to log-in, he types his password
- What is typed is salted + hashed, and compared to the value stored in the database.
They key is : never store the real password in the DB -- only a hash of it ; and salt it before hand, to avoid attacks by rainbow-tables.
And it seems this is already what you're doing -- so good point for you ;-)
Which hashing function should be used ? Well, sha1 is often considered as OK ; md5 is less OK now ; sha512 should be more than OK, I guess.
Pascal MARTIN
2010-07-18 10:56:59
but isnt it overkill ? how about you , how do you just do it. ?
Adam Ramadhan
2010-07-18 11:04:58
@Adam, considering security, there's no such thing as overkill ;-). Of course, it might be that your password hashing scheme is unbreakable and irrelevant because you may have a hardcoded admin account with "0000" as password. A system is only as secure as its *weakest* component and those are often hard to find. However, you can then be sure that it very likely *won't* be your password hashing what's the culprit and doing it wrongly or good usually takes the same amount of effort so I think it's a no-brainer.
Joey
2010-07-18 11:08:09
+1
A:
I'd do this usually:
<?php
function createHash($pwd, $salt = ''){
$hash = '';
if(!$salt){
$salt = hash('sha256',mt_rand().time().$pwd.'2130A');
}
if($pwd[0] & 0){
if($pwd[strlen($pwd)-1] & 1){
$hash = hash('sha256', $pwd.$salt).$salt;
}else{
$hash = $salt.hash('sha256', $pwd.$salt);
}
}else{
if($pwd[strlen($pwd)-1] & 1){
$hash = $salt.hash('sha256',$salt.$pwd);
}else{
$hash = hash('sha256', $salt.$pwd).$salt;
}
}
return $hash;
}
function getSalt($pwdHash){
if($pwd[0] & 0){
if($pwd[strlen($pwd)-1] & 1){
$salt = substr($pwdHash,64);
}else{
$salt = substr($pwdHash,0,64);
}
}else{
if($pwd[strlen($pwd)-1] & 1){
$salt = substr($pwdHash,0,64);
}else{
$salt = substr($pwdHash,64);
}
}
return $salt;
}
var_dump(createHash('testPassword',getSalt($pwdHashFromDb)) == $pwdHashFromDb); // true
- Salting provides higher security than a usual hash.
- The salt position depends on the entered password, and thus this makes the salt less vulnerable to be captured.
- Raw password is never known or stored
- balance between security and speed (for websites).
thephpdeveloper
2010-07-18 11:10:41