• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Password hash

#1
[eluser]someone Smile[/eluser]
Hello!

I'm working on registration script and I would like to ask you, which crypt hash do you use?

Currently I want use crypt() function with blowfish hash, but I don't know if my idea is good. Idea is the function which takes string and mix it to random. Then this string becomes a salt for crypt function. Is this good way?

Thanks! :-)

#2
[eluser]Jason Hamilton-Mascioli[/eluser]
Taken from an earlier post...

Quote:Use bcrypt. Actually - use php’s bcrypt implementation - crypt function (there are several different
options - best ones would be crypt_sha256, crypt_sha512 or crypt_blowfish). Imho -i’d go for crypt_sha512.

Why is it better?

Because it introduces a work factor, which allows you to determine how expensive the hash function will be. Because of this, bcrypt can keep up with Moore’s law. As computers get faster you can increase the work factor and the hash will get slower.How much slower is bcrypt than, say, MD5? Depends on the work factor. Using a work factor of 12, bcrypt hashes the password yaaa in about 0.3 seconds on my laptop. MD5, on the other hand, takes less than a microsecond.So we’re talking about 5 or so orders of magnitude. Instead of cracking a password every 40 seconds, I’d be cracking them every 12 years or so. Your passwords might not need that kind of security and you might need a faster comparison algorithm, but bcrypt allows you to choose your balance of speed and security. Use it.

#3
[eluser]someone Smile[/eluser]
I have tried bcrypt and it works well, but after reading of articles I don't know what to use now. Some says it's better to use bcrypt (crypt() blowfish) but others then tell me, that is easy to put site down because crypt() use a lot of cpu.

What's now true and do you recommend me blowfish or sha512 (again some are saying that blowfish is better)?

EDIT: Is blowfish always 60 chars long?

#4
[eluser]Syllean[/eluser]
I found this tutorial quite helpful http://net.tutsplus.com/tutorials/php/un...words-safe.

#5
[eluser]InsiteFX[/eluser]
Ya, and they were just hacked storing passwords in plain text.

#6
[eluser]someone Smile[/eluser]
[quote author="someone Smile" date="1340715228"]I have tried bcrypt and it works well, but after reading of articles I don't know what to use now. Some says it's better to use bcrypt (crypt() blowfish) but others then tell me, that is easy to put site down because crypt() use a lot of cpu.

What's now true and do you recommend me blowfish or sha512 (again some are saying that blowfish is better)?

EDIT: Is blowfish always 60 chars long?[/quote]

I'm still interested into this two questions, so if anyone know, please reply.

What about storing hash into database as in the linked article - is this secure?

Thanks! :-)

#7
[eluser]InsiteFX[/eluser]
SHA512 requires a database field of varchar(128) if you use that.

I hash mine with SHA512 and use the CodeIgniter 32-bit config encryption key to salt it it also has a second parameter to pass in a random salt.


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


Users browsing this thread:
1 Guest(s)


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.