RE: How to hash password correctly in PHP? 08-26-2017, 11:15 AM
#18
(08-25-2017, 11:54 PM)Ender Wrote:(08-25-2017, 10:00 PM)Jakub Wrote:(08-25-2017, 09:53 PM)Sikom Wrote: md5 is not really secure though is it?
i'm working with it for 1 year now and for now it's okay. But i have my own "hash" function so if double md5 with salt fails i will switch to my hash function
This beyond stupid.
MD5 was peer reviewed and looked over by tons of security experts, yet it was still broken.
Your own algorithm is probably not as advanced as MD5, and is a major security hole.
Use bcrypt or something ffs
Would agree with that being beyond stupid
Is this a good solution @'ender'?
Code:
function hashPassword($password, $salt){
$secretkey = 'A long key that is in code. Over 1000 chars';
//Amount of iterations
$iterations = 100;
$hash = hash('sha512', $salt . $password . $secretkey);
for($i = 0; i < $iterations-1; $i++) {
$hash = hash('sha512', $salt . $hash . $secretkey);
}
return $hash;
}
function checkPassword($password, $hashedPassword, $salt){
//Hashes the password for comparing to the hashedPassword in the db
$hash = hashPassword($password, $salt);
//Sleep to prevent a timing attack
usleep(random_int(100,1000));
if($hash === $hashedPassword){
return true;
}
return false;
}
(This post was last modified: 08-26-2017, 11:21 AM by Sikom.)
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)