stackoom
  简体   繁体   中英

PHP password protection secure enough

 原文  2013-03-29 08:30:36       php/ security/ hash/ password-protection/ password-encryption

Question

Before I start I'd like to apologise for bringing up this subject once again, as many users did, but with a research I did, I wasn't happy with what I've found. I just hope to come up with something really helpful here.

Since md5 or sha1 are considered bad practice (even when using salts ???), I have tried to create this function for hashing my password 

$password = $_POST['password']; // lets say that my password is: my_sercretp@ssword123
function encrypt_the_password($password){
    $salt = "lorem_ipsumd0l0rs1t@m3tc0ns3ct3tur@d1p1sc1ng3lit";
    return hash('sha256', $salt.$password);// can use also different algorithm like sha512 or whirlpool
}
$hashed_password = encrypt_the_password($password);

Note that this one I use it in a personal website with only one user, me. In case of having more than one users I come up with something like this: 

$password = $_POST['password'];
function generate_salt() {
    $salt = uniqid(md5("lorem_ipsumd0l0rs1t@m3tc0ns3ct3tur@d1p1sc1ng3lit".microtime()));
    $salt = hash('sha256', $salt);// can use also different algorithm like sha512 or whirlpool
    return $salt;
}
function encrypt_the_password($password,$salt){
   return hash('sha256', $salt.$password);// can use also different algorithm like sha512 or whirlpool
}
$hashed_password = encrypt_the_password($password,generate_salt());

Is this secure enough (in each case) or can this improved more???

MY EDIT: I tried to come up with something new using the crypt() function. Here's my code in case of having a site with only one user, admin: 

$password = $_POST['password'];
$salt = "L0r3mIpsUmD0l0rS1tAm3t";
$hashed_password = crypt($password', '$2a$12$' . $salt);

and in case of having a site with more than one users: 

$password = $_POST['password'];
function generate_salt() {
        $salt = uniqid(sha1("L0r3mIpsUmD0l0rS1tAm3tc0ns3CT3tur4d1p1sc1ng3lit".microtime()));
        $salt = substr(sha1($salt), 0, 22);
        return $salt;
}
$hashed_password = crypt($password', '$2a$12$' . generate_salt());

Is this ok or needs improvements???

2 answers

solution1
 6 ACCPTED  2013-03-29 08:38:42

Improve it by not making up your own algorithm. Your algorithm is insecure because your salt is constant and you only hash with one iteration of SHA256, which is computationally cheap.

Instead, use Bcrypt , which is both computationally expensive and verified by people who know what they're doing, so it's much safer than your solution.

solution2
 3  2013-03-29 08:38:07

You should use the password functions that will come inbuilt in PHP 5.5. There's a fallback library by ircmaxell that can provide the functions in earlier versions of PHP: https://github.com/ircmaxell/password_compat

It will always use the most recent hashing technique available, and in case even update the records for you. Make sure you read the README coming along with this library.

Do not make your own hashing function.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question PHP Page password protection Simple password protection in PHP php directory password protection Password protection for php 5.3.3? Proper PHP Password Protection Password protection for Python and PHP Secure a PHP API with CSRF protection Secure directory password protection without .htaccess php checking session secure enough? Password Protection Using PHP and MySQL
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM