views:

133

answers:

2

What is best for storing passwords? Should I be Encrypting or hashing password for you users table ?

What do you prefer, and why? Could you please provide an example of secure password storage.

+3  A: 

Considering passwords generally don't have to be checked / hashed / whatever that often (they are when one is logging in, and registrering ; but that's pretty much it), speed is generaly not much of a concern : what matters is security.

What's generally done is :

  • when a user registers, he types his (new) password)
  • that password is salted + hashed, and the result is stored in database
  • Then, when a user wants to log-in, he types his password
  • What is typed is salted + hashed, and compared to the value stored in the database.

They key is : never store the real password in the DB -- only a hash of it ; and salt it before hand, to avoid attacks by rainbow-tables.

And it seems this is already what you're doing -- so good point for you ;-)


Which hashing function should be used ? Well, sha1 is often considered as OK ; md5 is less OK now ; sha512 should be more than OK, I guess.

Pascal MARTIN
but isnt it overkill ? how about you , how do you just do it. ?
Adam Ramadhan
@Adam, considering security, there's no such thing as overkill ;-). Of course, it might be that your password hashing scheme is unbreakable and irrelevant because you may have a hardcoded admin account with "0000" as password. A system is only as secure as its *weakest* component and those are often hard to find. However, you can then be sure that it very likely *won't* be your password hashing what's the culprit and doing it wrongly or good usually takes the same amount of effort so I think it's a no-brainer.
Joey
+1  A: 

I'd do this usually:

<?php

function createHash($pwd, $salt = ''){
  $hash = '';
  if(!$salt){
    $salt = hash('sha256',mt_rand().time().$pwd.'2130A');
  }
  if($pwd[0] & 0){
    if($pwd[strlen($pwd)-1] & 1){
      $hash = hash('sha256', $pwd.$salt).$salt;
    }else{
      $hash = $salt.hash('sha256', $pwd.$salt);
    }
  }else{
    if($pwd[strlen($pwd)-1] & 1){
      $hash = $salt.hash('sha256',$salt.$pwd);
    }else{
      $hash = hash('sha256', $salt.$pwd).$salt;
    }
  }
  return $hash;
}

function getSalt($pwdHash){
  if($pwd[0] & 0){
    if($pwd[strlen($pwd)-1] & 1){
      $salt = substr($pwdHash,64);
    }else{
      $salt = substr($pwdHash,0,64);
    }
  }else{
    if($pwd[strlen($pwd)-1] & 1){
      $salt = substr($pwdHash,0,64);
    }else{
      $salt = substr($pwdHash,64);
    }
  }
  return $salt;
}

var_dump(createHash('testPassword',getSalt($pwdHashFromDb)) == $pwdHashFromDb); // true
  • Salting provides higher security than a usual hash.
  • The salt position depends on the entered password, and thus this makes the salt less vulnerable to be captured.
  • Raw password is never known or stored
  • balance between security and speed (for websites).
thephpdeveloper
whats the 2130A ?
Adam Ramadhan
it's a static salt. something like a secret key.
thephpdeveloper