All geek questions in one place

Is it safe to store PHP crypt () result in db?

For example, with blowfish, it returns something like:

$2a$12$DEzG.CRsHpxpTOAHooQ.wuR6Xe9h6PxFPhOcOvf.lqDNw1TVYVnEO

It contains alg hash type information and contains salt. Many resources say that they simply store this value in db and it will be safe. But could someone just check the general list of passwords for these values ​​in order to crack some of them?

+6
source share
4 answers

Password hashing security does not come from secret information. You have already canceled the actual secret, namely the password, which is the basis for the hash value. The remaining hash is just a fingerprint of this source data. Security comes from the fact that it is not possible to get raw data from a hash. The only way is to try all possible passwords and see what creates the same hash. Security here is due to the fact that it is computationally expensive and unlikely to succeed over a useful period of time.

The salt is only introduced so that someone does not use the already programmed set of known hashed passwords, forcing the attacker to actually rephrase all possible passwords using a unique salt. The salt itself is not a secret, and is not a hashing algorithm.

In short: yes, it is absolutely safe to store this value in the database.

+7
source

The hash generated by crypt() is specifically designed for storage. No matter what your password hashing scheme is, if someone takes possession of the contents of your database, they can force your passwords roughly, and you don’t have the option to store password hashes at all. The algorithms used by crypt() are specially chosen because they take considerable time to calculate the hash; it is not obvious when you verify only one password, but the coarse forced thousands of passwords become impractically slow.

+4
source

But could someone just check the general list of passwords against these values ​​to crack some of them?

You can always no matter how passwords are stored. The crypt function does not interfere with this, but it will make it really very slow. If the user uses a truly common password (123456), no hashing algorithm in the world will protect him.

If you prohibit these simple passwords and use a good hashing algorithm (this is the crypt () clause), you have done everything possible to protect the passwords.

+1
source

If someone has access to your database, they will have access to salt anyway, since you must use a different salt for each user password (which you would most likely have saved in the database).

The salt point is such that the rainbow tables do not work. To determine the password, the individual will need to reuse any combination of password + salt. You use a different salt for each password, so it must regenerate millions of hashes for each of them.

More information about the crypt can be found here: Why does PHP crypt () add salt to the hash?

0
source

Source: https://habr.com/ru/post/917610/

More articles:


All Articles