Menu
I'm currently implementing a login system. I want to store the password and the salt in a database. Now I found out that there is a hash() and a crypt() function which seems to do the same (valid for SHA512).
hash() is newer and seems to support more hashing alogrithms than crypt(). Or there any other differences I should know/care about?
Edit:
function generatePasswordHash($password){
$salt = base64_encode(mcrypt_create_iv(8));
$calculatedPasswordHash = crypt($password, '$1$' . $salt . '$');
return $calculatedPasswordHash;
}
The result looks like $1$Qh6ByGJ9$zLn3yq62egvmc9D7SzA2u.
Here my password checking function:
function checkLoginData($username, $password){
global $db;
$sql = "SELECT * FROM users WHERE username = :username";
$result = $db->ExecuteQuery($sql, array("username"=>$username));
if(!empty($result)){
$result = $result[0];
$savedPasswordHash = $result['password'];
$splitted = explode("$", $savedPasswordHash);
$salt = $splitted[2];
$calculatedPasswordHash = crypt($password, '$1$' . $salt . '$');
if($savedPasswordHash === $calculatedPasswordHash){
return true;
}
}
return false;
}
516
The standard AIX® authentication mechanism uses a one-way hash function called crypt to authenticate users. The crypt function is a modified DES algorithm. It performs a one-way encryption of a fixed data array with the supplied password and a Salt.
Hashing is a one-way process that converts a password to ciphertext using hash algorithms. A hashed password cannot be decrypted, but a hacker can try to reverse engineer it. Password salting adds random characters before or after a password prior to hashing to obfuscate the actual password.
Hashing and encryption both provide ways to keep sensitive data safe. However, in almost all circumstances, passwords should be hashed, NOT encrypted. Hashing is a one-way function (i.e., it is impossible to "decrypt" a hash and obtain the original plaintext value). Hashing is appropriate for password validation.
By adding randomness to the original plaintext password value before hashing, salting ensures that a different hashed value is generated. Salting is an additional layer of security to prevent, or at least minimize, the possibility of password compromise by the following three primary attack vectors.
Use hash for hashing, for example in integrity checks. It directly uses the specified hashing algorithm.
crypt is a special purpose function. It's used for password hashing and key derivation. You'll need to pass in a salt, which indirectly determines the hashing scheme used. Even if you choose CRYPT_SHA512 this isn't plain SHA512. It's a key derivation function that uses SHA512 as building block. In particular such a scheme is deliberately slow(hider brute-force attacks) and combines salt and password in a secure way.
For password hashing in a log system, crypt is clearly the right choice.
189
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
