The right way to create salted hash passwords

Question

The right way to create salted hash passwords

I am new to storing passwords in databases and from what I read I created a simple php script below

<?php
  $salt =  openssl_random_pseudo_bytes (16);
  $password = "test";
  $hash = hash ("sha512" , $salt . $password);

  echo $hash;
?>

Am I doing it right?
If salt is stored in databases as a byte data type?
Should the final hash be stored in Stat datatype in the database?

+2

security php hash salt

Arya Jul 21 '14 at 10:07

source share

3 answers

(PHP 5 >= 5.5.0), php.

:

$options = [
    'cost' => 11,
    'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM), // or your own salt here
];

$pass_hash = password_hash("helloworld", PASSWORD_BCRYPT, $options);

if (password_verify('helloworld', $pass_hash)) {
    echo 'Password is valid!';
} else {
    echo 'Invalid password.';
}

+1

Latheesan 21 . '14 10:15

. , . , : 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824, - aaabbb. , , 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824aaabbb. , 6 - . , .

-2

user3860198 21 . '14 10:16

martinstoeckli · Accepted Answer · 2014-07-21T11:16:20+0000

SHA * algorithms are not suitable for hash passwords because they are too fast and therefore can be too rough. Instead, you should use a slow algorithm such as BCrypt or PBKDF2 with a cost factor that controls the time needed.

PHP BCrypt password_hash(). PHP.

// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);

// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);

, , .

, . 60- -. password_verify() . .

The right way to create salted hash passwords

More articles: