MySQL_Narb Posted July 25, 2012 Share Posted July 25, 2012 Is this good password hashing/encryption? Will this protect weaker passwords? $salt = substr(hash(sha256, sha1(time())), 10); $password = $salt.hash(sha256, md5(sha1($_POST['password']))).substr($salt, 0, -51); $_SESSION['salt'] = $salt; $_SESSION['password'] = $password; Link to comment https://forums.phpfreaks.com/topic/266250-password-hashing-method-good-enough/ Share on other sites More sharing options...
Pikachu2000 Posted July 25, 2012 Share Posted July 25, 2012 What do you mean by "protect weaker passwords"? It's important we know what you mean here. Link to comment https://forums.phpfreaks.com/topic/266250-password-hashing-method-good-enough/#findComment-1364400 Share on other sites More sharing options...
MySQL_Narb Posted July 25, 2012 Author Share Posted July 25, 2012 What do you mean by "protect weaker passwords"? It's important we know what you mean here. Someone is saying that my salt protection isn't enough. I'm curious to know if that's really true, or I have good enough of a salting protection already. Link to comment https://forums.phpfreaks.com/topic/266250-password-hashing-method-good-enough/#findComment-1364402 Share on other sites More sharing options...
Pikachu2000 Posted July 25, 2012 Share Posted July 25, 2012 Let's try this another way. What do you consider a "weaker password" and what are you trying to protect it from? Link to comment https://forums.phpfreaks.com/topic/266250-password-hashing-method-good-enough/#findComment-1364403 Share on other sites More sharing options...
MySQL_Narb Posted July 25, 2012 Author Share Posted July 25, 2012 I think I have my question answered. I didn't really word it correctly in the OP, sorry about that. What I was trying to ask was if the salting method was good enough, but I feel as if any form of salting is good enough. Link to comment https://forums.phpfreaks.com/topic/266250-password-hashing-method-good-enough/#findComment-1364404 Share on other sites More sharing options...
darkfreaks Posted July 25, 2012 Share Posted July 25, 2012 if you are worried you could always use Bcrypt http://phpmaster.com/why-you-should-use-bcrypt-to-hash-stored-passwords/ Link to comment https://forums.phpfreaks.com/topic/266250-password-hashing-method-good-enough/#findComment-1364411 Share on other sites More sharing options...
xyph Posted July 26, 2012 Share Posted July 26, 2012 1. 'sha256' is not a constant. You need to quote it in your function call. You could code with all errors displayed. See my sig. 2. There's no point in double hashing. hash('sha256', sha1(time())) and hash('sha256', md5(sha1($_POST['password']))) Just use one call per hash 3. You don't actually mix the salt in with the hash. You have to do something like $pass = $salt.'|'.hash('sha256',$_POST['password'].$salt); I added the bar in between to easily split the salt and hash later for checking. 4. To mix the salt and the password, ideally, you use hash_hmac instead. It mixes it in a 'standard' way, and it's very easy to use. $pass = $salt.'|'.hash_hmac('sha256',$_POST['password'],$salt); 5. For the salt, you want to be sure it's unique. Use microtime and something like a session ID, or IP, user-agent, etc. 6. If you're interested in securing your user-based application, you really should read the article in my signature. The examples aren't production code, but the concept is there and it goes way beyond just hashing. Link to comment https://forums.phpfreaks.com/topic/266250-password-hashing-method-good-enough/#findComment-1364417 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.