MySQL_Narb Posted July 25, 2012 Share Posted July 25, 2012 Is this good password hashing/encryption? Will this protect weaker passwords? $salt = substr(hash(sha256, sha1(time())), 10); $password = $salt.hash(sha256, md5(sha1($_POST['password']))).substr($salt, 0, -51); $_SESSION['salt'] = $salt; $_SESSION['password'] = $password; Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted July 25, 2012 Share Posted July 25, 2012 What do you mean by "protect weaker passwords"? It's important we know what you mean here. Quote Link to comment Share on other sites More sharing options...
MySQL_Narb Posted July 25, 2012 Author Share Posted July 25, 2012 What do you mean by "protect weaker passwords"? It's important we know what you mean here. Someone is saying that my salt protection isn't enough. I'm curious to know if that's really true, or I have good enough of a salting protection already. Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted July 25, 2012 Share Posted July 25, 2012 Let's try this another way. What do you consider a "weaker password" and what are you trying to protect it from? Quote Link to comment Share on other sites More sharing options...
MySQL_Narb Posted July 25, 2012 Author Share Posted July 25, 2012 I think I have my question answered. I didn't really word it correctly in the OP, sorry about that. What I was trying to ask was if the salting method was good enough, but I feel as if any form of salting is good enough. Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted July 25, 2012 Share Posted July 25, 2012 if you are worried you could always use Bcrypt http://phpmaster.com/why-you-should-use-bcrypt-to-hash-stored-passwords/ Quote Link to comment Share on other sites More sharing options...
xyph Posted July 26, 2012 Share Posted July 26, 2012 1. 'sha256' is not a constant. You need to quote it in your function call. You could code with all errors displayed. See my sig. 2. There's no point in double hashing. hash('sha256', sha1(time())) and hash('sha256', md5(sha1($_POST['password']))) Just use one call per hash 3. You don't actually mix the salt in with the hash. You have to do something like $pass = $salt.'|'.hash('sha256',$_POST['password'].$salt); I added the bar in between to easily split the salt and hash later for checking. 4. To mix the salt and the password, ideally, you use hash_hmac instead. It mixes it in a 'standard' way, and it's very easy to use. $pass = $salt.'|'.hash_hmac('sha256',$_POST['password'],$salt); 5. For the salt, you want to be sure it's unique. Use microtime and something like a session ID, or IP, user-agent, etc. 6. If you're interested in securing your user-based application, you really should read the article in my signature. The examples aren't production code, but the concept is there and it goes way beyond just hashing. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.