Geek Answers Handbook

Password Security in PHP

Which method would you call safe and secure? I shot these snippets from php.net. I am just curious because people posted their own, and I just could not understand why some of them are like them ... Can someone help me and tell me a little more about this? What would be the safest and why?

one.

<?php $hash = md5($salt1.$password.$salt2); ?>

2.

 <?php function eliteEncrypt($string) { // Create a salt $salt = md5($string."%*4!#$;\.k~'( _@ "); // Hash the string $string = md5("$salt$string$salt"); return $string; } ?>

3.

 <?php define ('SALT_ONE', 'some_random_123_collection_&$^%_of_stuff'); define ('SALT_TWO', 'another_random_%*!_collection_ANbu_of_stuff'); $password = 'dragon'; function generate_encrypted_password($str) { $new_pword = ''; if( defined('SALT_ONE') ): $new_pword .= md5(SALT_ONE); endif; $new_pword .= md5($str); if( defined('SALT_TWO') ): $new_pword .= md5(SALT_TWO); endif; return substr($new_pword, strlen($str), 40); } echo generate_encrypted_password($password); ?>

4.

 <? function enchsetenev($toencode,$times) { $salt = 's+(_a*'; for($zo=0;$zo<$times;$zo=$zo+1) { $toencode = hash('sha512',salt.$toencode); $toencode = md5($toencode.$salt); } return $toencode; } ?>

5.

 <?php $hash = $password . $salt; for ( $i = 0; $i < 10000; $i++ ) { $hash = md5( $hash ); } echo $hash; ?>
+7
source share
5 answers
  • This is a basic example of what we want, salt added to the password
  • This is the same example, but with the salt generation part.
  • Another way of salting, but still quite equivalent
  • This complex example makes absolutely no sense, hashing with two different hashing methods many times absolutely does not increase security.
  • As already mentioned, there is absolutely no point in performing a hash 10,000 times.

If you change the first example to:

 <?php $hash = hash('sha256', $salt1.$password.$salt2); ?>

It will be safe enough for 99% of the application.

The only question is how to generate salt. I recommend a fixed salt ($ salt2) and a salt generated for each user ($ salt1), which is stored in the password database.

This way, you are safe enough to attack with a rainbow table, even if someone is retrieving the contents of your database.

+5
source

The best option is to use something other than md5, check here for the previously asked question related to this.

0
source

there is no standard good answer for this. I know that safety and speed must be balanced. You could AES encrypt every information, but would that be possible? To answer your question, MD5 (which is one way of encryption) plus SALT (a really random string) is considered a good security standard. It is just fast and safe enough.

If you try to implement your own encryption, and that it will not be like this magic trick, when you mess up the wire too much, and yet it will cancel the wrist. Therefore, go to SALT + MD5 if you do not want to theorize theses.

0
source 
 <?php $hash = md5($salt1.$password.$salt2); ?>

This one, I think, is suitable for most purposes, so I will explain it. The reason is that there are two salts, because let's say that $ salt1 is unique for each user name, therefore its column in the user table (a random row generated during user registration), $ salt2 is stored in the file system somewhere in The config.ini file that was created when the application was installed and it is the same for all users. Now, to guess the password, the hacker will need $ salt1 and $ salt1, he can have access to salt1 via sql injection, but he does not have access to the file system where salt2 is inside config.ini, therefore, double protection.

0
source

Is there just 5 ways to do almost the same thing? I think the purpose of the training here is to understand the importance of salting passwords. The best way to salt is to use as much salt as possible, and the salt shaker contains as many crazy characters as possible.

-one
source

More articles:


All Articles