Password hash - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20) +--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23) +--- Thread: Password hash (/showthread.php?tid=52773) |
Password hash - El Forum - 06-26-2012 [eluser]someone [/eluser] Hello! I'm working on registration script and I would like to ask you, which crypt hash do you use? Currently I want use crypt() function with blowfish hash, but I don't know if my idea is good. Idea is the function which takes string and mix it to random. Then this string becomes a salt for crypt function. Is this good way? Thanks! :-) Password hash - El Forum - 06-26-2012 [eluser]Jason Hamilton-Mascioli[/eluser] Taken from an earlier post... Quote:Use bcrypt. Actually - use php’s bcrypt implementation - crypt function (there are several different Password hash - El Forum - 06-26-2012 [eluser]someone [/eluser] I have tried bcrypt and it works well, but after reading of articles I don't know what to use now. Some says it's better to use bcrypt (crypt() blowfish) but others then tell me, that is easy to put site down because crypt() use a lot of cpu. What's now true and do you recommend me blowfish or sha512 (again some are saying that blowfish is better)? EDIT: Is blowfish always 60 chars long? Password hash - El Forum - 06-26-2012 [eluser]Syllean[/eluser] I found this tutorial quite helpful http://net.tutsplus.com/tutorials/php/understanding-hash-functions-and-keeping-passwords-safe. Password hash - El Forum - 06-26-2012 [eluser]InsiteFX[/eluser] Ya, and they were just hacked storing passwords in plain text. Password hash - El Forum - 06-26-2012 [eluser]someone [/eluser] [quote author="someone " date="1340715228"]I have tried bcrypt and it works well, but after reading of articles I don't know what to use now. Some says it's better to use bcrypt (crypt() blowfish) but others then tell me, that is easy to put site down because crypt() use a lot of cpu. What's now true and do you recommend me blowfish or sha512 (again some are saying that blowfish is better)? EDIT: Is blowfish always 60 chars long?[/quote] I'm still interested into this two questions, so if anyone know, please reply. What about storing hash into database as in the linked article - is this secure? Thanks! :-) Password hash - El Forum - 06-26-2012 [eluser]InsiteFX[/eluser] SHA512 requires a database field of varchar(128) if you use that. I hash mine with SHA512 and use the CodeIgniter 32-bit config encryption key to salt it it also has a second parameter to pass in a random salt. |