Encrypting Passwords

Question

What is the fastest, yet secure way to encrypt passwords in (PHP Prefered), and for which ever method you choose is it portable?
In other words if I later migrate my website to a different server will my passwords continue to work?
The method I am using now I was told is dependent on the exact versions of the libraries installed on the server.

Answer 1

If you are choosing an encryption method for your login system then speed is not your friend, Jeff had a to-and-frow with Thomas Ptacek about passwords and the conclusion was that you should use the slowest, most secure encryption method you can afford to.

From Thomas Ptacek's blog:
Speed is exactly what you don’t want in a password hash function.

Modern password schemes are attacked with incremental password crackers.

Incremental crackers don’t precalculate all possible cracked passwords. They consider each password hash individually, and they feed their dictionary through the password hash function the same way your PHP login page would. Rainbow table crackers like Ophcrack use space to attack passwords; incremental crackers like John the Ripper, Crack, and LC5 work with time: statistics and compute.

The password attack game is scored in time taken to crack password X. With rainbow tables, that time depends on how big your table needs to be and how fast you can search it. With incremental crackers, the time depends on how fast you can make the password hash function run.

The better you can optimize your password hash function, the faster your password hash function gets, the weaker your scheme is. MD5 and SHA1, even conventional block ciphers like DES, are designed to be fast. MD5, SHA1, and DES are weak password hashes. On modern CPUs, raw crypto building blocks like DES and MD5 can be bitsliced, vectorized, and parallelized to make password searches lightning fast. Game-over FPGA implementations cost only hundreds of dollars.

Answer 2

The way I secure passwords for storage in a database may be overkill but I begin by generating a new seed every time a password changes. The seed is usually 50 or so random bytes base64 encoded and stored in the database along with the users password. The seed is then concatenated with the raw entered password and hashed using SHA1.

So the process for generating storing a new password is:

1. Generate some random data (cryptographically strong if possible)
2. base64 encode the data (in case it contains non-binary safe bytes)
3. concat the seed and the password and SHA1 hash the whole string
4. Store the seed and the whole hash in separate columns (this could be combined in one column and split if needed)

Process for authenticating a user:

1. Find their row in the database and pull out their current seed
2. Concat the seed and their raw entered password and SHA1 hash the whole string
3. Compare the hash to the hash stored in the database

This system has a number of advantages:

• Can be implemented in PHP (like you asked using mt_rand, base64_encode, and sha1)
• SHA1 is a standard and should be portable across any system
• Prevents rainbow table attacks by seeding each hash
• Also prevents someone generating a rainbow table for your seed since it changes each time the password hash changes

Some things it is missing:

• Does nothing to slow down brute force attempts (the hashing method could be changed to do this)
• Is confusing for someone coming to the system for the first time
• Adds one more column to your users table (matters to some people)

Hope this helps.

Answer 3

I'm with Peter. Developer don't seem to understand passwords. We all pick (and I'm guilty of this too) MD5 or SHA1 because they are fast. Thinking about it ('cuz someone recently pointed it out to me) that doesn't make any sense. We should be picking a hashing algorithm that's stupid slow. I mean, on the scale of things, a busy site will hash passwords what? every 1/2 minute? Who cares if it take 0.8 seconds vs 0.03 seconds server wise? But that extra slowness is huge to prevent all types of common brute-forcish attacks.

From my reading, bcrypt is specifically designed for secure password hashing. It's based on blowfish, and there are many implementation.

For PHP, check out PHPPass http://www.openwall.com/phpass/

For anyone doing .NET, check out BCrypt.NET http://derekslager.com/blog/posts/2007/10/bcrypt-dotnet-strong-password-hashing-for-dotnet-and-mono.ashx

Answer 4

I'm not necessarily looking for the fastest but a nice balance, some of the server that this code is being developed for are fairly slow, the script that hashes and stores the password is taking 5-6 seconds to run, and I've narrowed it down to the hashing (if I comment the hashing out it runs, in 1-2 seconds).

It doesn't have to be the MOST secure, I'm not codding for a bank (right now) but I certainly WILL NOT store the passwords as plain-text.

Answer 5

It should be pointed out that you don't want to encrypt the password, you want to hash it.

Encrypted passwords can be decrypted, letting someone see the password. Hashing is a one-way operation so the user's original password is (cryptographically) gone.

Answer 6

Whatever you do, don't write your own encryption algorithm. Doing this will almost guarantee (unless you're a cryptographer) that there will be a flaw in the algorithm that will make it trivial to crack.

Answer 7

Want to slow down the hashing function?

$seed = sha1(uniqid(rand(), true));
$hash = sha1($seed . $password);
for($k=0; $k

I think there's enough hashing to slow down the algorithm a little, and making a very strong hash.