Answer the question
In order to leave comments, you need to log in
M
M
MdaUZH2016-01-18 00:47:28
MdaUZH, 2016-01-18 00:47:28
Cryptography, password hashing password_hash?
Hello everyone, everything was fine until I read another article about password hashing and cryptography.
No matter how much I read, everything just falls into a rut and leads me to a single and logical answer, when suddenly another article comes across that turns everything upside down.
In general, a couple of questions:
1. Is it necessary and safe to use password_hash to hash a password?
2. Is it reasonable to use PASSWORD_DEFAULT or is it better to use your own salt (if salt, is it reasonable to store your own salt for each user in the database? - or how is it done?)
2.2 After all, php is constantly expanding, everything is changing, soon everything may change and more will appear a better mechanism for hashing, and you don’t have to change anything much with your salt, it will be easier.
2.2.1 Or, as an option, change the hashing method in general (which I thought was not entirely realistic if many users are registered)
I would be very grateful :)
1 answer(s)
@MdaUZH
Yes, it is and it is safe. Moreover, do not forget to check the password through password_verify
Reasonable, because most developers don't bother with salt generation much. Concerning storage in a DB - it is stored directly in the line which is given out after hashing of the password if that. Don't sweat it. The essence of salt is to increase the password guessing time. Just like using slow algorithms like bcrypt.
PHP can be considered a fairly mature language, it is very strict with backward compatibility. Well, yes - they won’t come up with hashing mechanisms better, they can come up with a better algorithm (for example, bcrypt is now widely used, including in php by default, but there is already scrypt which is better, but which has not yet passed the test of time).
bcrypt should suffice. For new users, you can use a different method, and ask old users to change their password. Tons of different strategies.
S
Sergey, 2016-01-18 @MdaUZH
Is it necessary and safe to use password_hash to hash a password?
Yes, it is and it is safe. Moreover, do not forget to check the password through password_verify
Reasonable, because most developers don't bother with salt generation much. Concerning storage in a DB - it is stored directly in the line which is given out after hashing of the password if that. Don't sweat it. The essence of salt is to increase the password guessing time. Just like using slow algorithms like bcrypt.
PHP can be considered a fairly mature language, it is very strict with backward compatibility. Well, yes - they won’t come up with hashing mechanisms better, they can come up with a better algorithm (for example, bcrypt is now widely used, including in php by default, but there is already scrypt which is better, but which has not yet passed the test of time).
bcrypt should suffice. For new users, you can use a different method, and ask old users to change their password. Tons of different strategies.
Similar questions
E
D
D
K
P
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question