[Pikami]

Would agree with that being beyond stupid


Is this a good solution @'ender'?

Code:

function hashPassword($password, $salt){
   $secretkey = 'A long key that is in code. Over 1000 chars';
   
   //Amount of iterations
   $iterations = 100;
   $hash = hash('sha512', $salt . $password . $secretkey);

   for($i = 0; i < $iterations-1; $i++) {
       $hash = hash('sha512', $salt . $hash . $secretkey);
   }
   return $hash;
}
function checkPassword($password, $hashedPassword, $salt){
   //Hashes the password for comparing to the hashedPassword in the db
   $hash = hashPassword($password, $salt);

   //Sleep to prevent a timing attack
   usleep(random_int(100,1000));
   if($hash === $hashedPassword){
       return true;
   }
   return false;
}

This is not a good solution.
Use BCRYPT man

Why is that not a good solution?

SHA was not created for hashing passwords, it was made for hashing files and other data for integraty. The thing is SHA is optimized for speed that means that it's easy to bruteforce bcrypt is slow so cracking takes fucking ages.

[Inori]

As @"Ecks" and others have mentioned, salting is imperative in hashing passwords (and Computerphile is great). Without salts, you'll have a repeat of the Adobe incident if your database is compromised. They didn't salt their hashes (so identical passwords had identical hashes) and stored password hints, so it was essentially a giant crossword puzzle for the hackers.

Additionally, DO NOT USE MD5 or any other algorithm with a documented, applied (i.e. not theoretical) attack. I don't care that MD5 is faster or takes up less space (which is pretty much negligible anyway); if you don't want to be vulnerable to proven attacks, don't use it. See the following links for explanations/data.
https://en.wikipedia.org/wiki/Cryptograp...h_function
https://en.wikipedia.org/wiki/Hash_funct...ty_summary

The following code should serve as a viable hashing process. See hash_algos() for a list of algorithms.

Code:

<?php
// change to desired algorithm
const HASH="sha512";

function hash_passwd($pass,$len=8,$binary=true){
    $salt="";
    // generate salt $len characters long
    for($i=0;$i<$len;$i++)
        $salt.=chr(mt_rand()%255);

    return array(
        "hash" => hash(HASH,$hash.$salt,$binary),
        "salt" => $salt
    );
}

Use the "hash" and "salt" keys to access their respective values in the array returned from hash_passwd().

Finally, use hash_equals() to mitigate timing attacks when comparing hashes.

Edit: @"Pikami": SHA-256 and SHA-512 are viable for cryptographic use but you're correct in respect to SHA-1, which has been documented as cracked several times.

[Inori]

As well on the topic of security, databases, and SQL, always remember to sanitize your inputs or you run the risk of leaking the contents of your db, as well as having it deleted altogether.

[mothered]

As well on the topic of security, databases, and SQL, always remember to sanitize your inputs

Absolutely.

Sanitizing an SQL query based on user Input, Is of utmost Importance. It's appalling how many organizations (I come across every day), neglect this altogether.

[Esoterith]

PASSWORD_DEFAULT could change (Highly unlikely) so I suggest PASSWORD_BCRYPT

[Esoterith]

Code:

<?php

    function hash_passwd($pass) {
        $pass = md5($pass);
        $pass = base64_encode($pass);
        return password_hash($pass, PASSWORD_BCRYPT);
    }
    
    function check_passwd($pass, $hash) {
        $pass = md5($pass);
        $pass = base64_encode($pass);
        $check = password_verify($pass,$hash);
        if($check == 1) {
            return 1;
        } else {
            return 0;
        }
    }
    
    $pass = "Test";
    $hash = hash_passwd($pass);
    $verify = check_passwd($pass,$hash);
    $wrongVerify = check_passwd("test", $hash);
    
    echo $hash;
    echo "\n\nCorrect Hash/Pass Test: ";
    echo $verify;
    echo "\n\nIncorrect Hash/Pass Test: ";
    echo $wrongVerify;

It takes the pass and hashes in md5 (already non reversible but easy to dictionary attack), then takes that and base64 encrpyts it using then bcrypts the base64 encrypt. (Overkill a bit)

Tbh you'd be fine with just password_hash($pass, PASSWORD_BCRYPT);

[Inori]

It takes the pass and hashes in md5 (already non reversible but easy to dictionary attack), then takes that and base64 encrpyts it using then bcrypts the base64 encrypt. (Overkill a bit)

Tbh you'd be fine with just password_hash($pass, PASSWORD_BCRYPT);

Again, DO NOT USE MD5 IN PRODUCTION. As I outlined in my post, and as you said here, it's extremely vulnerable and should not be used.

[innocent21]

It's useful to read this thread to help you learn about Timing Attacks so you don't get hacked due to a timing attack.
I would use bcrypt as it cannot be brute forced, broken with password dictionaries, or broken with rainbow tables.

[PhucedMODZ]

this is how my passwords are encrypted

$unhashedPassword = "test";
$hashedPassword = password_hash($unhashedPassword, PASSWORD_BCRYPT);
$user->update("users", array("password"=>self:anitize($hashedPassword), "id", $_SESSION['id']);

[chunky]

this is how my passwords are encrypted

$unhashedPassword = "test";
$hashedPassword = password_hash($unhashedPassword, PASSWORD_BCRYPT);
$user->update("users", array("password"=>self::sanitize($hashedPassword), "id", $_SESSION['id']);

Make sure to tick the "Disable Smilies" checkbox next time or just use code tags for your code since it kinda sucks if it replaces some parts of your code with smilies.
I'd recommend using a salt for your passwords, just to make it a littlebit more secure. It's not really required but helps if you want to do it as secure as possible.