Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Best PHP hashing method for storing user passwords in a MySQL table?

Tags:

php

passwords

mysql

encryption

I've been reading Stack Overflow questions for about 15 minutes now and every single one seems to contradict the previous one I read. Bcrypt, SHA1, MD5, and so on. I currently MD5 my passwords, but I want to make my database more secure in case of a breach.

I know this has been asked a million times, but I can't seem to find a decent answer anywhere else.

Thanks.

like image 247
iamandrus Avatar asked Jun 24 '11 19:06

iamandrus

People also ask

What is the most used method for hashing passwords in PHP?

In PHP, there are various cryptographic algorithms that are commonly used like md5, crypt, sha1, and bcrypt. And the most commonly used nowadays is bcrypt hashing method.

What hash does MySQL use for passwords?

The password hash stored by MySQL Server is generated by hashing the plain-text password twice using SHA1. When the client transmits the password to the server, it uses three pieces of information: The SHA1 hash of the plain text password. The SHA1 hash of the the SHA1 hash of the plain text password.

Can you store passwords in MySQL?

The PASSWORD(str) function is used by the MySQL itself to store passwords of its users, but its not recommended to use it in your own programs. The ENCRYPT function uses the UNIX native crypt() program, so do not expect to work on Windows.

2 Answers

The reason you see contradictory answers is because there is no right one. You should use the most secure method that your application can support. More secure = more overhead.

MD5 has been broken and cracked.

According to this article, SHA1 is broken. However it has not yet been cracked.

bcrypt has not (to the best of my knowledge) been found to be broken.

Given enough CPU cycles, any hashing or encryption algorithm can eventually be circumvented. Your decision should balance the security of your data with the performance of your application.

Given those caveats, bcrypt is the defacto standard at this time. It is designed for strength, not speed, and is not known to be broken. For an index of information about bcrypt, see the bcrypt article on Wikipedia.

like image 199
George Cummins Avatar answered Nov 02 '22 07:11

George Cummins

I'd go with bcrypt. It drastically reduces the ability to generate rainbow tables.

http://codahale.com/how-to-safely-store-a-password/

It's important to note that salts are useless for preventing dictionary attacks or brute force attacks. You can use huge salts or many salts or hand-harvested, shade-grown, organic Himalayan pink salt. It doesn't affect how fast an attacker can try a candidate password, given the hash and the salt from your database.

like image 32
ceejayoz Avatar answered Nov 02 '22 06:11

ceejayoz
Sign in to Comment

Related questions

How do I time delay a job in Laravel 5.2?
Laravel 5.3 set homepage as login screen
Laravel 5.4 - Eloquent Relationship Update
using carbon to change utc to other timezone gives the same result
How to extract the full url (subdomain,domain and directories) with ZF?
Is the order of an associative array guaranteed in PHP?
What's the point of E_ALL | E_STRICT if it's the same value as E_ALL?
Troubleshooting PHP Mail [duplicate]
Best Step by Step tutorial for Symfony - (I am running PHP on Windows) [closed]
Connecting to remote MySQL server using PHP
How to declare more than one header on PHP
fopen with/without @ before it
Subtracting dates in PHP [duplicate]
Why doesn't PHP DOM include slash on self closing tags?
PHP to Zebra Printer
How to sort by numbers first with Oracle SQL query?
Getting first weekday in a month with strtotime
PDO connection error when using symfony and MAMP
What does it mean to run PHP in quiet mode?
CodeIgniter: Is it safe to delete index.html from all folders?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!