Stack Overflow
Stack Overflow

Questions tagged [password-hash]

A password hash is a hash digest of a password obtained using a one-way hashing algorithm (not to be confused with [password-encryption]). Password hashes differ from regular hash functions in that they are designed to be slow and consume CPU and/or memory resources in order to make them harder to crack.

Further details:

592 questions
324
votes
16 answers

Is "double hashing" a password less secure than just hashing it once?

Is hashing a password twice before storage any more or less secure than just hashing it once? What I'm talking about is doing this: $hashed_password = hash(hash($plaintext_password)); instead of just this: $hashed_password =…
Bill the Lizard
  • 398,270
  • 210
  • 566
  • 880
180
votes
5 answers

Best Practices: Salting & peppering passwords?

I came across a discussion in which I learned that what I'd been doing wasn't in fact salting passwords but peppering them, and I've since begun doing both with a function like: hash_function($salt.hash_function($pepper.$password)) [multiple…
Glitch Desire
  • 14,632
  • 7
  • 43
  • 55
175
votes
7 answers

How can I store my users' passwords safely?

How much more safe is this than plain MD5? I've just started looking into password security. I'm pretty new to PHP. $salt = 'csdnfgksdgojnmfnb'; $password = md5($salt.$_POST['password']); $result = mysql_query("SELECT id FROM users …
Rebar
  • 1,759
  • 3
  • 11
  • 3
142
votes
4 answers

How to use PHP's password_hash to hash and verify passwords

Recently I have been trying to implement my own security on a log in script I stumbled upon on the internet. After struggling of trying to learn how to make my own script to generate a salt for each user, I stumbled upon password_hash. From what I…
Josh Potter
  • 1,629
  • 2
  • 13
  • 11
85
votes
9 answers

Password encryption at client side

Possible Duplicate: About password hashing system on client side I have to secure the passwords of my web site users. What I did was use MD5 encryption hashing in server side. But the problem is the passwords remain in plain text until it…
dinesh senartne
  • 915
  • 1
  • 9
  • 9
67
votes
7 answers

What is currently the most secure one-way encryption algorithm?

As many will know, one-way encryption is a handy way to encrypt user passwords in databases. That way, even the administrator of the database cannot know a user's password, but will have to take a password guess, encrypt that with the same algorithm…
Teekin
  • 12,581
  • 15
  • 55
  • 67
56
votes
7 answers

Node.js hashing of passwords

I am currently using the following for hashing passwords: var pass_shasum = crypto.createHash('sha256').update(req.body.password).digest('hex'); Could you please suggest improvements to make the project safer?
alditis
  • 4,633
  • 3
  • 49
  • 76
35
votes
6 answers

What is an alternative for bcrypt to use with node?

I have tried for days to get bcrypt installed on my windows machine with no luck. One of the dependencies (Windows 7 SDK) does not want to be installed even though I have tried numerous suggestions from around the net it just refuses to cooperate. I…
Kory
  • 1,396
  • 3
  • 14
  • 31
28
votes
7 answers

How to upgrade a password storage scheme (change hashing-algorithm)

I've been asked to implement some changes/updates to an intranet-site; make it 'future proof' as they call it. We found that the passwords are hashed using the MD5 algorithm. (the system has been around since 2001 so it was adequate at time). We…
Jacco
  • 23,534
  • 17
  • 88
  • 105
26
votes
5 answers

Salting passwords 101

Could someone please help me understand how salting works? So far I understand the following: Validate password Generate a random string Hash the password and the random string and concat them, then store them in the password field... How do we…
Mohamad
  • 34,731
  • 32
  • 140
  • 219
23
votes
1 answer

Call to undefined function password_hash()

I am running php version 5.4.16 on localhost right now, while I am developing my site. I want to use password_hash(), but I keep getting this error: Fatal error: Call to undefined function password_hash() in /dir/to/file.php on line 123 Why is…
user3162085
  • 241
  • 1
  • 2
  • 3
22
votes
4 answers

Is this a good hashing password function in PHP? If not, why not?

I'm wondering if this function (which is in part taken from a ~2 year old phpBB version), is good enough. If not, why? And how would you change it (making the transition seamless for existing users) ? The result of hash_pwd() is what will be saved…
koichirose
  • 1,815
  • 4
  • 22
  • 30
18
votes
5 answers

Generate SHA256 hash in Objective-C

So I need to generate a Sha256 password in Objective-C, and can't figure out for the life of me how to do it! Is there something easy I'm just missing? I've tried implementing the following method (which was written for iPhone, but I figured maybe…
garetmckinley
  • 1,122
  • 2
  • 11
  • 29
18
votes
1 answer

Crypt for password hashing. Blowfish produces weird output

I am having a bit little bit of trouble understanding php's crypt function. My PHP version is 5.4.7. I want to use crypt to store salted passwords in the database, because as far as I am told, developers who use md5 to hash passwords are to be…
Anpan
  • 1,146
  • 1
  • 10
  • 20
17
votes
1 answer

Argon2 Algorithm in PHP7: understanding the time_cost parameter

I'm trying to implement the Argon2 algorithm in an authentification library. I want to be able to provide some useful tips for the users to set the parameters. While I understand how memory_cost and threads parameters affect the algorithm, I can't…
Indigo
  • 745
  • 5
  • 16
1
2 3
39 40