Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Best PHP hashing method for storing user passwords in a MySQL table?

I've been reading Stack Overflow questions for about 15 minutes now and every single one seems to contradict the previous one I read. Bcrypt, SHA1, MD5, and so on. I currently MD5 my passwords, but I want to make my database more secure in case of a breach.

I know this has been asked a million times, but I can't seem to find a decent answer anywhere else.

Thanks.

like image 247
iamandrus Avatar asked Jun 24 '11 19:06

iamandrus


People also ask

What is the most used method for hashing passwords in PHP?

In PHP, there are various cryptographic algorithms that are commonly used like md5, crypt, sha1, and bcrypt. And the most commonly used nowadays is bcrypt hashing method.

What hash does MySQL use for passwords?

The password hash stored by MySQL Server is generated by hashing the plain-text password twice using SHA1. When the client transmits the password to the server, it uses three pieces of information: The SHA1 hash of the plain text password. The SHA1 hash of the the SHA1 hash of the plain text password.

Can you store passwords in MySQL?

The PASSWORD(str) function is used by the MySQL itself to store passwords of its users, but its not recommended to use it in your own programs. The ENCRYPT function uses the UNIX native crypt() program, so do not expect to work on Windows.


2 Answers

The reason you see contradictory answers is because there is no right one. You should use the most secure method that your application can support. More secure = more overhead.

MD5 has been broken and cracked.

According to this article, SHA1 is broken. However it has not yet been cracked.

bcrypt has not (to the best of my knowledge) been found to be broken.

Given enough CPU cycles, any hashing or encryption algorithm can eventually be circumvented. Your decision should balance the security of your data with the performance of your application.

Given those caveats, bcrypt is the defacto standard at this time. It is designed for strength, not speed, and is not known to be broken. For an index of information about bcrypt, see the bcrypt article on Wikipedia.

like image 199
George Cummins Avatar answered Nov 02 '22 07:11

George Cummins


I'd go with bcrypt. It drastically reduces the ability to generate rainbow tables.

http://codahale.com/how-to-safely-store-a-password/

It's important to note that salts are useless for preventing dictionary attacks or brute force attacks. You can use huge salts or many salts or hand-harvested, shade-grown, organic Himalayan pink salt. It doesn't affect how fast an attacker can try a candidate password, given the hash and the salt from your database.

like image 32
ceejayoz Avatar answered Nov 02 '22 06:11

ceejayoz