Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Safe Password Storing

Tags:

security

php

passwords

password-protection

md5

Let's say I have thousands of users and I want to make the passwords very secure. Now, I've learned that md5() is not the safest to use, however what I think can be done to be safe is salt it (I know this is nothing new). So for this I was thinking of creating two tables, one called accounts which will have all information associated with accounts and a table column called salt and the second table would be called something like auth and have the fields account_id, password

to start, I create a salt upon registration (generated randomly)

$salt = "#52/sBsO8";

then all the provided information goes to accounts salt being one of them

then after successfully putting the information in database, I create the password that is going to be stored in auth table, this way the password is not the md5 of the password the user enters, rather its the md5 of the salt and the password user enters

so the password in auth is

$password = md5($user_entered_password . $salt);

Test strings: PHP Code

$password = "123";
$salt = "#52/sBsO8";
echo md5($password) ." / ";
echo md5($password . $salt);

output: 202cb962ac59075b964b07152d234b70 / dfbf0b257c5182af0ae893c2680f4594

The question is: Is this a pretty safe way of dealing with passwords? Because of md5() decrypting websites, there are so many ways to guess the passwords. And the decrypting websites don't actually decrypt the md5() they just have the md5 hashes of millions of strings.

like image 722
Grigor Avatar asked Feb 11 '26 05:02

Grigor

1 Answers

md5 is likely to be the least safe among "popular" hashing algorithms.
Since you're using PHP, a better option would be crypt: http://php.net/manual/en/function.crypt.php

crypt($password, $salt)

For a good comparison of various hashing methods, see Jeff Atwood's post about password hashing

Excerpt about brute forcing benchmarks:

MD5 23070.7 M/s
SHA-1 7973.8 M/s
SHA-256 3110.2 M/s
SHA-512 267.1 M/s
NTLM 44035.3 M/s
DES 185.1 M/s
WPA/WPA2 348.0 k/s

the lower, the better, although DES is too short to be considered nowadays (56bit, thanks @thebod).

EDIT:

Although it isn't listed in the benchmarked methods above, the best hashing method that crypt supports is blowfish, here's an example to use it:

// $salt has to be built with exactly these components:
// '$2a$' . $2DigitsNumberAroundTen . '$' . $TwentyTwoLetters
$salt = '$2a$07$somesillystringforsalt';
crypt( $password, $salt );
like image 60
Razor Avatar answered Feb 13 '26 18:02

Razor
Sign in to Comment

Related questions

Variable Variables in PHP from required / included files

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!