Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

best algorithm to store passwords in 2016

Tags:

security

php

hash

web

Actually I read many post related to the algorithm for use like md5, sha1 and so on. But I am still not sure which one is the secure and the best one to use nowadays. I am beginner with web development and I am asking all of the best programmers around the world to teach and show me. I hope you guys can give me the choice and example for using it. Thank You

like image 449
Malay Muslim Avatar asked May 26 '16 07:05

Malay Muslim

People also ask

Which algorithm is used for password?

Cryptographic hashing algorithms like MD5 and the SHA family of algorithms make it easier for attackers to brute force passwords as attackers can use a lot of compute resources (CPUs, GPUs, etc.) to make a lot of password “guesses” in a short period of time.

Is SHA-256 good for passwords?

A good hash algorithm makes it impossible to reverse the hash value to compute the original text. However, passwords are very, very short. By making a guess at a password, the attacker can compare the output of his SHA-256 against the SHA-256 that he finds in the database.

Is SHA 512 still secure?

The SHA1, SHA256, and SHA512 functions are no longer considered secure, either, and PBKDF2 is considered acceptable. The most secure current hash functions are BCRYPT, SCRYPT, and Argon2. In addition to the hash function, the scheme should always use a salt.

What is the most secure password hashing algorithm?

To the time of writing, SHA-256 is still the most secure hashing algorithm out there. It has never been reverse engineered and is used by many software organizations and institutions, including the U.S. government, to protect sensitive information.

1 Answers

Important is, that the algorithm offers a cost factor, which controls the necessary time to calculate a hash. The more time you can invest in calculating a single hash, the more expensive brute-forcing will become (e.g. 100 Giga MD5 per second vs 10 BCrypt per second).

Today recommended algorithms are BCrypt, PBKDF2 and SCrypt. The algorithm BCrypt is supported by PHP, a wrapper function takes care of the generation of a salt and is future proof.

// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_DEFAULT);

// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
like image 60
martinstoeckli Avatar answered Sep 29 '22 16:09

martinstoeckli
Sign in to Comment

Related questions

Break HTTP file uploading from server side by PHP or Apache
PHP: Calling MySQL Stored Procedure with Both INPUT AND OUTPUT Parameters (NOT "INOUT")
Woocommerce - php to get order information
How do I test for an exact Exception message, rather than a substring, with PHPUnit?
Non-static method PEAR::isError() should not be called statically
php - syntax error, unexpected T_DOUBLE_ARROW [duplicate]
Laravel 4 route with unlimited number of parameters
substr() not working to trim the_content() in wordpress widget
woocommerce code for cart button
PHP undefined offset from list()
wkhtmltopdf div background color
password_hash equivalent for php 5.4? [duplicate]
How to set category to product woocommerce
Customize Laravel error reporting to remove stack trace
Creating an Eloquent Object with relation included
Extracting images based on ID
Cannot save image intervention image. NotWritableException in Image.php line 138
Phpmailer having problems with Umlaut
PHP Warning: PHP Startup: Unable to load dynamic library php_curl.dll impossibile find
Why does explode on null return 1 element?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!