A lot of websites these days are hacked and the password hashes are stolen. Even big websites like LinkedIn didn't store their passwords secure (just md5).
Now is my question, what is a secure enough way to hash password?
Currently I'm using this:
sha512(sha512(sha512(password) + salt));
Is that secure enough?
hash_hmac('sha512', $data , $key);
would be great. It is better to use at least 60 chars for $key as salt.
It is hard to say which one is best, but a safe bet is the BCrypt algorithm.
BCrypt is not the best algorithm out there; however, it is sufficient for the large majority of use cases, and it is just as easy to implement, if not easier, than the basic hash-and-salt method. What sets BCrypt apart is that instead of the more typical SHA-* algorithm, it leverages the Blowfish algorithm, which has the advantage of being much slower in parallel. Since users log in one-at-a-time, this makes it much harder for attackers, who will test numerous passwords, to beat the algorithm.
More here: http://davismj.me/blog/bcrypt/
Yes, that's more than secure enough. Personally I think the last sha512 call is useless but I know opinions differ.
Of course, this is secure as long as passwords cannot be guessed using a brute force tactic. No amount of hashing will protect you if users choose a 4 letters password or the firstname of their wife.
It depends on your salt. Are you generating a unique salt for each user? A salt is not a constant, if every password is hashed with the same salt you're wasting your time.
I would recommend using bcrypt instead of the sha512/salt approach, it's much harder to brute force: http://krebsonsecurity.com/2012/06/how-companies-can-beef-up-password-security/
Using salt like you are using now is a really good to improve security, I highly recommend to use random salt for every user. IMHO, the more time you will hash user's password (you can improve security by adding salt before hashing each time) the more it will be secure. I use for loop with like 256 repetitions to hash password which may be considered to be secure against brute force for next bunch of years.
a little off topic, but I recommend to also take care about session hijack (like regenerating ssids, etc...)
