Zephni Posted April 30, 2012 Share Posted April 30, 2012 I just made this mini class for hashing passwords, is this all there is to it? Setting a salt string, and hashing the string using something like sha1(md5($salt.$password)) <?php class MyHash { private $salt = "a6B2yj90sZ34"; public function set_salt($salt){ $this->salt = $salt; } public function hash_string($string){ return sha1(md5($this->salt.$string)); } public function check_hashed_string($user_input, $correct_pass){ if($this->hash_string($user_input) == $correct_pass){ return true; }else{ return false; } } } ?> Quote Link to comment https://forums.phpfreaks.com/topic/261838-my-hasher-class-good-enough/ Share on other sites More sharing options...
ignace Posted April 30, 2012 Share Posted April 30, 2012 Read http://www.codinghorror.com/blog/2012/04/speed-hashing.html Quote Link to comment https://forums.phpfreaks.com/topic/261838-my-hasher-class-good-enough/#findComment-1341709 Share on other sites More sharing options...
Zephni Posted April 30, 2012 Author Share Posted April 30, 2012 To be honest I couldn't get much more from that article than needing to generate a random salt for each user and using stronger encryption methods. So the class should be more like: <?php class MyHash { private $salt; public function generate_random_salt($salt){ $this->salt = "a random string of quite a few characters"; } //The rest To be honest xyph has suggested using PHPass, which sounds like the safest way to go rather than making my own class. Quote Link to comment https://forums.phpfreaks.com/topic/261838-my-hasher-class-good-enough/#findComment-1341715 Share on other sites More sharing options...
ignace Posted April 30, 2012 Share Posted April 30, 2012 To be honest xyph has suggested using PHPass, which sounds like the safest way to go rather than making my own class. The first rule of security is to always assume and plan for the worst. Should you use a salt, ideally a random salt for each user? Sure, it's definitely a good practice, and at the very least it lets you disambiguate two users who have the same password. But these days, salts alone can no longer save you from a person willing to spend a few thousand dollars on video card hardware, and if you think they can, you're in trouble. PHPass is a good idea as a minimum security measure. Unless you are storing more sensitive information like credit card info and such, which I doubt. Quote Link to comment https://forums.phpfreaks.com/topic/261838-my-hasher-class-good-enough/#findComment-1341721 Share on other sites More sharing options...
Zephni Posted April 30, 2012 Author Share Posted April 30, 2012 Thanks, I just read my reply and realised I didn't sound very thankful for the link to the article. It actually was very inciteful. Thanks Quote Link to comment https://forums.phpfreaks.com/topic/261838-my-hasher-class-good-enough/#findComment-1341722 Share on other sites More sharing options...
El Chupacodra Posted April 30, 2012 Share Posted April 30, 2012 I would also recommend you read this article on php.net: http://se2.php.net/manual/en/faq.passwords.php Modern video cards are capable of ten million password attempts a second or more so security is important. Quote Link to comment https://forums.phpfreaks.com/topic/261838-my-hasher-class-good-enough/#findComment-1341750 Share on other sites More sharing options...
xyph Posted April 30, 2012 Share Posted April 30, 2012 Mid-range video cards, cooled properly, will calculate well over a billion MD5's per second. Around half a billion SHA-1 per second. A proper key stretch will take that number down to a million, which is much less feasible. PHPass is a good idea as a minimum security measure. Unless you are storing more sensitive information like credit card info and such, which I doubt. PHPass would be terrible for storing CC numbers, as it's design to be one-way IMO, storing CC numbers is something you should never do, unless you're running some sort of payment gateway. Even a subscription service, it's hard to justify that kind of liability when the overhead of using PayPal et al is relatively small. Regardless, safe storage of CCs is well beyond the scope of this discussion board, IMO. I'm also kind of curious what you'd use beyond PHPass for password hashing? Quote Link to comment https://forums.phpfreaks.com/topic/261838-my-hasher-class-good-enough/#findComment-1341757 Share on other sites More sharing options...
ignace Posted April 30, 2012 Share Posted April 30, 2012 I'm also kind of curious what you'd use beyond PHPass for password hashing? bcrypt probably. I've never used it though. So far I have never had a case that had such a high security concern. And if the project does have to handle sensitive data, we employ licensed third-party software. Because it's better to be able to point the finger at someone other than you Quote Link to comment https://forums.phpfreaks.com/topic/261838-my-hasher-class-good-enough/#findComment-1341772 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.