How to hash password correctly in PHP?

Pikami · 08-27-2017, 01:41 AM

(08-26-2017, 08:40 PM)Sikom Wrote:
(08-26-2017, 12:48 PM)Pikami Wrote:
(08-26-2017, 11:15 AM)Sikom Wrote: Would agree with that being beyond stupid

Is this a good solution @'ender'?

Code:
function hashPassword($password, $salt){ $secretkey = 'A long key that is in code. Over 1000 chars'; //Amount of iterations $iterations = 100; $hash = hash('sha512', $salt . $password . $secretkey); for($i = 0; i < $iterations-1; $i++) { $hash = hash('sha512', $salt . $hash . $secretkey); } return $hash; } function checkPassword($password, $hashedPassword, $salt){ //Hashes the password for comparing to the hashedPassword in the db $hash = hashPassword($password, $salt); //Sleep to prevent a timing attack usleep(random_int(100,1000)); if($hash === $hashedPassword){ return true; } return false; }

This is not a good solution.
Use BCRYPT man

Why is that not a good solution?

SHA was not created for hashing passwords, it was made for hashing files and other data for integraty. The thing is SHA is optimized for speed that means that it's easy to bruteforce bcrypt is slow so cracking takes fucking ages.