Jump to content

Recommended Posts

I just made this mini class for hashing passwords, is this all there is to it? Setting a salt string, and hashing the string using something like sha1(md5($salt.$password))

 

<?php
class MyHash {
	private $salt = "a6B2yj90sZ34";

	public function set_salt($salt){
		$this->salt = $salt;
	}

	public function	hash_string($string){
		return sha1(md5($this->salt.$string));
	}

	public function check_hashed_string($user_input, $correct_pass){
		if($this->hash_string($user_input) == $correct_pass){
			return true;
		}else{
			return false;	
		}
	}
}
?>

Link to comment
https://forums.phpfreaks.com/topic/261838-my-hasher-class-good-enough/
Share on other sites

To be honest I couldn't get much more from that article than needing to generate a random salt for each user and using stronger encryption methods. So the class should be more like:

 

<?php
class MyHash {
	private $salt;

	public function generate_random_salt($salt){
		$this->salt = "a random string of quite a few characters";
	}

	//The rest

 

To be honest xyph has suggested using PHPass, which sounds like the safest way to go rather than making my own class.

To be honest xyph has suggested using PHPass, which sounds like the safest way to go rather than making my own class.

 

The first rule of security is to always assume and plan for the worst. Should you use a salt, ideally a random salt for each user? Sure, it's definitely a good practice, and at the very least it lets you disambiguate two users who have the same password. But these days, salts alone can no longer save you from a person willing to spend a few thousand dollars on video card hardware, and if you think they can, you're in trouble.

 

PHPass is a good idea as a minimum security measure. Unless you are storing more sensitive information like credit card info and such, which I doubt.

Mid-range video cards, cooled properly, will calculate well over a billion MD5's per second. Around half a billion SHA-1 per second.

 

A proper key stretch will take that number down to a million, which is much less feasible.

 

PHPass is a good idea as a minimum security measure. Unless you are storing more sensitive information like credit card info and such, which I doubt.

 

PHPass would be terrible for storing CC numbers, as it's design to be one-way :P IMO, storing CC numbers is something you should never do, unless you're running some sort of payment gateway. Even a subscription service, it's hard to justify that kind of liability when the overhead of using PayPal et al is relatively small. Regardless, safe storage of CCs is well beyond the scope of this discussion board, IMO.

 

I'm also kind of curious what you'd use beyond PHPass for password hashing?

I'm also kind of curious what you'd use beyond PHPass for password hashing?

 

bcrypt probably. I've never used it though. So far I have never had a case that had such a high security concern. And if the project does have to handle sensitive data, we employ licensed third-party software. Because it's better to be able to point the finger at someone other than you :)

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.