What is best for storing passwords? Should I be Encrypting or hashing password for you users table ?
What do you prefer, and why? Could you please provide an example of secure password storage.
What is best for storing passwords? Should I be Encrypting or hashing password for you users table ?
What do you prefer, and why? Could you please provide an example of secure password storage.
Considering passwords generally don't have to be checked / hashed / whatever that often (they are when one is logging in, and registrering ; but that's pretty much it), speed is generaly not much of a concern : what matters is security.
What's generally done is :
They key is : never store the real password in the DB -- only a hash of it ; and salt it before hand, to avoid attacks by rainbow-tables.
And it seems this is already what you're doing -- so good point for you ;-)
Which hashing function should be used ? Well, sha1 is often considered as OK ; md5 is less OK now ; sha512 should be more than OK, I guess.
I'd do this usually:
<?php
function createHash($pwd, $salt = ''){
$hash = '';
if(!$salt){
$salt = hash('sha256',mt_rand().time().$pwd.'2130A');
}
if($pwd[0] & 0){
if($pwd[strlen($pwd)-1] & 1){
$hash = hash('sha256', $pwd.$salt).$salt;
}else{
$hash = $salt.hash('sha256', $pwd.$salt);
}
}else{
if($pwd[strlen($pwd)-1] & 1){
$hash = $salt.hash('sha256',$salt.$pwd);
}else{
$hash = hash('sha256', $salt.$pwd).$salt;
}
}
return $hash;
}
function getSalt($pwdHash){
if($pwd[0] & 0){
if($pwd[strlen($pwd)-1] & 1){
$salt = substr($pwdHash,64);
}else{
$salt = substr($pwdHash,0,64);
}
}else{
if($pwd[strlen($pwd)-1] & 1){
$salt = substr($pwdHash,0,64);
}else{
$salt = substr($pwdHash,64);
}
}
return $salt;
}
var_dump(createHash('testPassword',getSalt($pwdHashFromDb)) == $pwdHashFromDb); // true