PHP – safe way to hash password

Oct 10, 2013, by admin

As we know that password hashing is one of the most basic security considerations that must be made when designing any application that accepts passwords from users. Without hashing, any passwords that are stored in your application’s database can be stolen if the database is compromised, and then immediately used to compromise not only your application, but also the accounts of your users on other services, if they do not use unique passwords.

By applying a hashing algorithm to your user’s passwords before storing them in your database, you make it hard for any attacker to determine the original password, while still being able to compare the resulting hash to the original password in the future.

It is important to note, however, that hashing passwords only protects them from being compromised in your data store, but does not necessarily protect them from being intercepted by malicious code injected into your application itself.

When hashing passwords, the two most important considerations are the computational expense, and the salt. The more computationally expensive the hashing algorithm, the longer it will take to brute force its output.

There are two functions that are bundled with PHP that can perform hashing using a specified algorithm.

The first hashing function is crypt(), which natively supports several hashing algorithms. When using this function, you are guaranteed that the algorithm you select is available, as PHP contains native implementations of each supported algorithm, in case one or more are not supported by your system.

The second hashing function is hash(), which supports many more algorithms and variants than crypt(), but does not support some algorithms that crypt() does. The Hash extension is bundled with PHP, but can be disabled during compile-time, so it is not guaranteed to be available, while crypt() is, being in the PHP core.

The suggested algorithm to use when hashing passwords is Blowfish, as it is significantly more computationally expensive than MD5 or SHA1, while still being scalable.

Below is a complete running password hashing example with 5 iteration which makes it more secure than normal hashing.

<?php
    //your password
    $password = “”;
    //Use unique random salt at least 24 bytes for each user.
    $salt=“”;
    //Use the highest number of iterations
    $iterations = 5;
    $hash = crypt($password,$salt);
    for ($i = 0; $i < $iterations; ++$i)
    {
    $hash = crypt($hash . $password,$salt);
    }
    echo $hash;
    ?>

The above, of course, can be used with md5(), sha1(), etc. as well as crypt().

To get more updates like the page Bugtreat Technologies