May 27, 2013

Hashing on php - Best security tips

Hashing on php is a way to encode a string, mostly passwords.
One big mistake would be having the passwords stored in database without being encrypted.
Whenever someone gets access to the database can login directly.
The most used hash types on php are md5, sha1, sha236, sha512. Sha512 is more strong between them.
Md5 hashes can be cracked very fast due to big lists of password combinations.
You can go to a site to decrypt md5, there are many chances that your hash will get cracked, they may have the md5 hash of your password stored into database.
md5 security

Best tips:

  • Use sha512
  • Strong password
  • Using salts
Let's take an example of sha512
<?php echo hash('sha512', 'mypass'); ?>
Using different letter combinations is better ex gA@2#j,J%19&

Salts

Salt is a secret word which get combined with the password or hash, this method is the best as long as the attacker does not have file read access to read the hash

Salting the password

<?php
$pass = "gj.mgat.5d%GA";
$salt = "wK5&.gdxmja,5";
$pass = $pass.$salt;
$pass = hash('sha512', $pass);
echo $pass;
?>

Salting the hash

<?php
$pass = "gj.mgat.5d%GA";
$salt = "wK5&.gdxmja,5";
$pass = hash('sha512', $pass);
$pass = $pass.$salt;
echo $pass;
?>

1 comment: