Jaslabs: High performance Software

High Performance Software

Storing passwords in php 5

October 31st, 2006 | Category: php, tips, php security

By Justin Silverton

This topic is something that every php programmer will have to deal with at some point in their programming career. You have just created a system where a user needs to login with some type of username/password combo and you need to store the password (either in plaintext or in some type of database). How do you safely go about doing this? You could store it in plaintext, but this would be a bad idea. Anyone that has access to your server would also be able to get your passwords and the data that they are trying to protect.

A simple yet effective approach

In the past, sha1() or md5() would have been the most effective and secure way to encrypt your data, but recently it has been shown that these functions can be compromised and there is another set of more secure functions.

The function name is called hash(). Here is a list of it’s functionality/parameters:

string hash ( string algo, string data [, bool raw_output] )

Parameters

Algo: Name of selected hashing algorithm (i.e. “md5″, “sha256″, “haval160,4″, etc..)

Data: Message to be hashed.

Raw_Output: When set to TRUE, outputs raw binary data. Default value (FALSE) outputs lowercase hexits.

Returns: Returns a string containing the calculated message digest as lowercase hexits unless raw_output is set to true in which case the raw binary representation of the message digest is returned.

Using this function (note: this function is only available in php 5.1.2 and above)

You can use the following funcion: hash_algos() to get a list of system specific hashing algorithims that are supported by php.

(Inserting into your database/storing)

$password = hash(’sha256′,$_POST[’password’);

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • DZone
  • Slashdot
  • StumbleUpon
  • Technorati

4 Comments so far

  1. Sara Golemon November 2nd, 2006 4:36 pm

    This extension is only bundled (and enabled by default) as of PHP 5.1.2, however it can be built into any version going back to PHP 4.0.0 by installing the package from PECL.

  2. Tom Barta February 13th, 2007 2:34 am

    In general, the strength of hashing is heavily dependent on the length of the string being hashed. Typically, a “salt” is added to the hashing in the form of a random string. This salt is stored with the encrypted password (so that you can check `$hash_pass = hash($salt . $pass)`). This gives you several benefits:

    1) passwords are all longer, making brute-force dictionary attacks much more difficult.
    2) it is almost impossible for two randomly-salted passwords to be identical, so knowing one password won’t give you access to all of the other users with that same password.

    If you don’t salt your passwords, you are much more vulnerable to dictionary-based attacks due to the reduced computational complexity.

    See http://en.wikipedia.org/wiki/Salt_%28cryptography%29 for further details.

  3. Christoffer Aasted [dezza] April 18th, 2007 6:19 am

    $password = hash(’sha256′,$_POST[’password’);

  4. Christoffer Aasted [dezza] April 18th, 2007 6:23 am

    You should replace the ’’ with ‘’, I don’t know if this was with purpose to make copy & pasters thing alittle themselves, I could think so ;)

    $password = hash(’sha256′,$_POST[’password’);

    Also you are missing a ] bracket on the $_POST[’password’].
    PROPER: $password = hash(’sha256′,$_POST[’password’);

Leave a reply