RE: How to hash password correctly in PHP? 08-26-2017, 08:40 PM
#20
(08-26-2017, 12:48 PM)Pikami Wrote:(08-26-2017, 11:15 AM)Sikom Wrote:(08-25-2017, 11:54 PM)Ender Wrote: This beyond stupid.
MD5 was peer reviewed and looked over by tons of security experts, yet it was still broken.
Your own algorithm is probably not as advanced as MD5, and is a major security hole.
Use bcrypt or something ffs
Would agree with that being beyond stupid
Is this a good solution @'ender'?
Code:function hashPassword($password, $salt){
$secretkey = 'A long key that is in code. Over 1000 chars';
//Amount of iterations
$iterations = 100;
$hash = hash('sha512', $salt . $password . $secretkey);
for($i = 0; i < $iterations-1; $i++) {
$hash = hash('sha512', $salt . $hash . $secretkey);
}
return $hash;
}
function checkPassword($password, $hashedPassword, $salt){
//Hashes the password for comparing to the hashedPassword in the db
$hash = hashPassword($password, $salt);
//Sleep to prevent a timing attack
usleep(random_int(100,1000));
if($hash === $hashedPassword){
return true;
}
return false;
}
This is not a good solution.
Use BCRYPT man
Why is that not a good solution?
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)