5

So currently my code is using a standard sha1 to hash the password for database implementation.

What is or is there a better more securing way to store the password? Maybe MD5 (Yes I am joking)

For example I am using Codeigniter as my framework, What would be the best way to encrypt the passwords?

Jess McKenzie
  • 8,345
  • 27
  • 100
  • 170
  • Standard SHA-1 isn't good enough. You need salted SHA-1 *at least*. – Ignacio Vazquez-Abrams Aug 17 '12 at 06:03
  • you should read the [php Mcrypt library ](http://php.net/manual/en/book.mcrypt.php) and i think MCRYPT_RIJNDAEL_128 can be worthy – NullPoiиteя Aug 17 '12 at 06:03
  • @O.D I didn't downvote, but I guess it would be this question has been asked many times in SO. I asked a similar question myself: http://stackoverflow.com/questions/9420722/improve-password-hashing-with-a-random-salt – Tchoupi Aug 17 '12 at 20:22

4 Answers4

2

I would do it this way.

salt = For each user generate a random seed with a random length. 

iterations = Select a random number

while(iterations  != 0)  {

hashed_password = hash_function(password.salt) . salt;    iterations-- }

in the password field save them like so: 

hashed_password:salt:hash_function:iterations.

And at login use the new password in combination with salt, hash_function and iteration to hash it and compare the result with the hashed_password.

off course you can use multiple hash functions to like sha_x(md5(salt.password).salt).salt or what ever you want but make sure that you save it in some way in order to make the comparison at login.

thedethfox
  • 1,651
  • 2
  • 20
  • 38
  • I'd just create and use a normal authdb entry. That way the algorithm and programmer can be changed, and it will all work the same way. – Ignacio Vazquez-Abrams Aug 17 '12 at 06:29
  • 1
    +1. Salting(per user) and Iterations are pretty much enough. I would just like to add that iteration must be big enough to make brute force attacks very slow. And the used cryptographic function doesnt matter, md5 is just as good enough as long as you make is slow, but blowfish is recommended. – Imre L Aug 17 '12 at 06:50
1

This lib is very good: http://www.openwall.com/phpass/ It uses the crypt method with various algorithms and also has it's own based on md5 but with so many iterations and salt that it's "safe".

Johni
  • 2,933
  • 4
  • 28
  • 47
1

You should really use bcrypt to hash your passwords, it was designed especially for hashing password.

Hash functions for passwords should be slow (need some computing time). Most hash algorithms like SHA-1 and MD5 or even SHA-256 are designed to be fast, but this makes it an easy target for brute force attacks.

Don't be afraid to use bcrypt! It is not for high security sites only, and using it can be as easy, as using an md5 hash. It's recommended to use a well established library like phpass, and if you want to understand how it works, you can read this article, where i tried to explain the most important points.

martinstoeckli
  • 23,430
  • 6
  • 56
  • 87
0

SHA1 was brocken in 2005

February 15, 2005

SHA-1 Broken

SHA-1 has been broken. Not a reduced-round version. Not a simplified version. The real thing.

The research team of Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu (mostly from Shandong University in China) have been quietly circulating a paper describing their results: collisions in the the full SHA-1 in 2*69 hash operations, much less than the brute-force attack of 2*80 operations based on the hash length.

collisions in SHA-0 in 2**39 operations.

collisions in 58-round SHA-1 in 2**33 operations.

Take a look at this comparisoion list.

CloudyMarble
  • 36,908
  • 70
  • 97
  • 130