[Safely Hashing Data]

Now that I know that the PHP function, password_hash(), and the hashing algorithm, "bcyrpt" are recommended for best hashing security when using PHP, I have a follow up question...

Would it be secure to hash something like "credit_card_used" and "last-4 of credit card" and store those as hashes either outside of webroot on my VPS, or maybe in MySQL?

In my OP, and subsequent posts, I am trying to get a better grasp of how "secure" hashing is...

a.) Because if my website ever got hacked, I want the peace-of-mind that at least my users hashed passwords are safe - or at least safe long enough for people to reset things

b.) Because i would like to do the following, IF, it can be done "securely"...

Capture and store as a hash the credit card type and last-4 of the credit card when a customer subscribes on my website, so that I have a way to limit the number of accounts on a given credit card to "2".

From what I have read in the past - and this could be outdated - it would take decades to try and crack a piece of data hashed using SHA-512.

IF that were true, then at least technically, you could reasonably hash something like last-4 of a cc and be safe.  (Whether this is legal is another issue I'd have to research?!)

 

 

[Safely Hashing Data]

3 hours ago, Zane said:

 

I don't think requinix could have put it any better.  Unless you're doing a master thesis on this stuff, there's really no point in asking such questions.  There isn't so much one that is "better" than the other, they're just tools.  It's up to the developer/engineer to use them as they see fit.  MD5 has its bad rap, but perhaps someone needs it for whatever reason. 

If I asked you what the best hammer to use for 2019, then you would get a myriad of answers and opinions.

 

 

Masters thesis, no.  But am I trying to learn more each day to be a better developer and produce more *secure* solutions, YES!!

The advice above is like saying, "Unless you are ASE certified, then you should NOT change your own oil or learn to do basic auto maintenance..."

Ridiculous, really.

 

**Edited to add the word "NOT" above!!  🙂

 

 

[Safely Hashing Data]

39 minutes ago, requinix said:

I'm not asking if you think the code looks solid. Do you understand HMAC? SHA512? Salting? Fully? Like are you willing to apply for some sort of certification regarding cryptographic knowledge?

I don't think so. So use password_hash.

It sounds like password_hash uses bcrypt by default.

Would you agree that bcrypt is probably one of the strongest ways to hash something in 2019?  Or is there something even better?

 

 

[Safely Hashing Data]

15 hours ago, requinix said:

Unless you're 110% sure that you know what you're doing, like really know and didn't just copy some code you found on the internet, then you should be using password_hash().

The line of code I posted above seems pretty idiot-proof, so based on your response, apparently that is an outdated approach and password_hash() is superior, huh?

 

 

[Safely Hashing Data]

Sorry, I didn't see your replies.

I was asking about passwords.  (What other places would you use hashing?)

Currently in my code - which has sat on the shelf for a couple years - I am using...

	$loginHash = hash_hmac('sha512', $pass . $salt, VINEGAR);
	

Thoughts?

 

[Safely Hashing Data]

What is the latest and greatest way to hash data in PHP?