Correct Code Procedure For Storing Passwords Securing Passwords In MYSQL

Question

So currently my code is using a standard sha1 to hash the password for database implementation.

What is or is there a better more securing way to store the password? Maybe MD5 (Yes I am joking)

For example I am using Codeigniter as my framework, What would be the best way to encrypt the passwords?

Answer 1

I would do it this way.

salt = For each user generate a random seed with a random length. 

iterations = Select a random number

while(iterations  != 0)  {

hashed_password = hash_function(password.salt) . salt;    iterations-- }

in the password field save them like so:

hashed_password:salt:hash_function:iterations.

And at login use the new password in combination with salt, hash_function and iteration to hash it and compare the result with the hashed_password.

off course you can use multiple hash functions to like sha_x(md5(salt.password).salt).salt or what ever you want but make sure that you save it in some way in order to make the comparison at login.

Answer 2

You should really use bcrypt to hash your passwords, it was designed especially for hashing password.

Hash functions for passwords should be slow (need some computing time). Most hash algorithms like SHA-1 and MD5 or even SHA-256 are designed to be fast, but this makes it an easy target for brute force attacks.

Don't be afraid to use bcrypt! It is not for high security sites only, and using it can be as easy, as using an md5 hash. It's recommended to use a well established library like phpass, and if you want to understand how it works, you can read this article, where i tried to explain the most important points.