Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

password security in PHP

Tags:

php

md5

salt

What method would you call safest and most secure? I took these snippets off php.net. I'm just wondering because people posted their own and I just couldn't catch on to understand why some are the way they are... Can someone help me out and tell me a little more about these? Which would be the most secure and why?

1.

<?php
$hash = md5($salt1.$password.$salt2);
?>

2.

<?php
function eliteEncrypt($string) {
    // Create a salt
    $salt = md5($string."%*4!#$;\.k~'(_@");

    // Hash the string
    $string = md5("$salt$string$salt");

    return $string;
}
?>

3.

<?php
define ('SALT_ONE', 'some_random_123_collection_&$^%_of_stuff');
define ('SALT_TWO', 'another_random_%*!_collection_ANbu_of_stuff');

$password = 'dragon';

function generate_encrypted_password($str) {
$new_pword = '';

if( defined('SALT_ONE') ):
   $new_pword .= md5(SALT_ONE);
endif;

$new_pword .= md5($str);

if( defined('SALT_TWO') ):
   $new_pword .= md5(SALT_TWO);
endif;

return substr($new_pword, strlen($str), 40);
}

echo generate_encrypted_password($password);
?>

4.

<?
function enchsetenev($toencode,$times)
{
    $salt = 's+(_a*';
    for($zo=0;$zo<$times;$zo=$zo+1)
    {
        $toencode = hash('sha512',salt.$toencode);
        $toencode = md5($toencode.$salt);
    }
    return $toencode;
}

?>

5.

<?php
$hash = $password . $salt;

for ( $i = 0; $i < 10000; $i++ ) {
  $hash = md5( $hash );
}

echo $hash;
?>
like image 547
Kyle Avatar asked Mar 08 '11 16:03

Kyle


1 Answers

  1. It is a basic example of what we want, a salt added to the password
  2. It is the same example but with the salt generation part.
  3. A different method for salting, but still pretty equivalent
  4. There's absolutely no point in this over complicated example, hashing with two different hash method many times absolutely don't improve security.
  5. Like already said, there's absolutely no point to perform 10000 times a hash.

If you change the first example to :

<?php
  $hash = hash('sha256', $salt1.$password.$salt2);
?>

this will be secure enough for 99% of the application.

The only question is how to generate the salt. I recommend a fixed salt ($salt2) and on salt generated for each user ($salt1) which is stored in the database along the password.

This way you're pretty secure against rainbow table attack even if someone retrieves the content of your database.

like image 91
krtek Avatar answered Oct 06 '22 01:10

krtek