Hashing technique for storing password [duplicate]_问答_开发者

Hashing technique for storing password [duplicate]

开发者 https://www.devze.com 2023-03-03 18:29 出处：网络

This question already has answers here: Closed 11 years ago. Possible Duplicate: Secure hash and salt for PHP passwords

相关专题：encryption php

This question already has answers here: Closed 11 years ago.

Possible Duplicate:
Secure hash and salt for PHP passwords

THREE part question:

Whic开发者_JS百科h technique I should use to store a password? (sha1, sha256/512, etc.)
What is the ideal size of a salt?

What should i use ?

$passwordHash = hash('ENCRYPTION',$salt . $password);

 $passwordHash = hash('ENCRYPTION',$password . $salt);

I intend to store forum passwords only. I am not storing bank credentials or any other highly sensitive items. It should be fast and not rocket science.

I used MD5 but since it is known that it is broken, I now use SHA-2

$hash = hash('sha256', $pass); - creates 256 bit hash.

Personally, I'd still go with MD5 - it's very fast and widely implemented.

Although security researchers have found a way to make two blocks of text that result in the same MD5 hash (a "collision attack"), there's no known practical way to create an a block of text that produces a specific hash (a "pre-image attack")

Just make sure that you do have a decent length salt (16 random bytes should be more than enough) to ensure that a hacker can't use "rainbow tables" to reverse your hashes.

In my opinion, you should use SHA512, if availble, as it is one of the strongest hashing algorithms that are availble at the moment.

Regarding salt sizes, I would use one the same size as the hash, as the adds a lot more entropy to the hash. I use the uniqid() function in conjunction with the rand() function

I would use code similar to what is below

<?php
    $password = 'password';
    //Generate the salt
    $salt = hash('sha512',uniqid('',true) . rand());
    //Hash our password with the salt
    $passwordHash = hash('sha512',$salt . $password);
?>

Any as you state -- it`s not so highly sensitive
Any, but if you want precise number, let it be 32
Any, as the main purpose of the salt is don`t give bad man to determine, whether two passwords are same.

For example I`m a developer of some system and decide to store only login-n-password hash:

user1:qjwhegwqe7865weq786ew7q8
user2:kl21j3kl21j3kl21j3kl12jk
user3:qjwhegwqe7865weq786ew7q8

As you can see, without salt bad man will see, that user1 and user3 have same passwords. That's why salt was invented -- it creates always different hashes. And it's only one it's purpose.