Hashing passwords properly

[Lykos22]

Before I begin, I tried to do some research about this subject (the Search field seems its broken and through google was a little bit painful) in the forum, so I'd like to apologise if I'm repeating it once again. I have read some articles about hashing passwords saying that md5 and sha1 are no longer safe and should use better hashing algorithms, how to hash passwords properly by avoiding double hashing, hashing with different algorithms etc etc, so I 've come up with some questions/spots that I haven't cleared them out completely. 1. Doing just this is consinder no safe, although md5 and sha1 cannot be reversed:

$password=md5('my_sercretpassword123'); //for instance my password is my_sercretpassword123 although its a bad practice$password=sha1('my_sercretpassword123');

My first question is If I use one of these, using a salt isn't consider safe? eg:

$password= 'my_sercretpassword123';$salt = 'lorem_ipsumd0l0rs1t@m3tc0ns3ct3tur@d1p1sc1ng3lit';$password = md5($password.$hash); //same with sha1

If anyone manages to crack this hash, will get the string 'my_sercretpassword123lorem_ipsumd0l0rs1t@m3tc0ns3ct3tur@d1p1sc1ng3lit', which isn't the actual password, right? 2. Supposing the 1st option note is not approved, then I guess I have use a better hashing algorithm like whirlpool or sha256, sha512 ect etc. So If I apply the same functionality like this:

$password= 'my_sercretp@ssword123';$salt = 'lorem_ipsumd0l0rs1t@m3tc0ns3ct3tur@d1p1sc1ng3lit';$hashed_password = $password.$hash;$hashed_password = hash('whirlpool',$hashed_password);

is it safe enough or I have better come with something more difficult?? I tried to google for some tutorials on this, just to get some ideas, but most of them, if not all, use plain md5 or sha1. Could you give me some examples or ideas on that?

Edited March 28, 2013 by Lykos22

[birbal]

Technique for salting is same regardless of hashing algorithm. Problem is in the algorithm itself in md5 or sha1.

If anyone manages to crack this hash, will get the string 'my_sercretpassword123lorem_ipsumd0l0rs1t@m3tc0ns3ct3tur@d1p1sc1ng3lit, which isn't the actual password.

If an attacker able to crack the hash (hashing algorithm) salting will have no use. they can easily figure out the pass from that. salt is used so that two same password in server (same or different) never will look same when they have hashed. you can use crypt() which supports sha256,sha512 and blowfish (recommended). it also supports iteration which will make it more secure. the longer the time will take to hash, more better. you can set a server specific salt with some user specific salt. there is previous discussion about this if you search the forum. http://php.net/crypt

[justsomeguy]

I would recommend this: http://www.openwall.com/phpass/

[Lykos22]

Well, I have done this in case of a personal website, where there's only one user,me:

$password = $_POST['password']; // password: my_sercretp@ssword123function en_crypt($password){$salt = "lorem_ipsumd0l0rs1t@m3tc0ns3ct3tur@d1p1sc1ng3lit";return hash('sha256', $salt.$password); // can use also different algorithm like sha512 or whirlpool}$hashed_password = en_crypt($password);

and in case where there's a site with more than one users (eg blog, e-commerce etc etc) I have this:

$password = $_POST['password'];function generate_salt() {	$salt = uniqid(md5("lorem_ipsumd0l0rs1t@m3tc0ns3ct3tur@d1p1sc1ng3lit".microtime()));	$salt = hash('sha256', $salt);// can use also different algorithm like sha512 or whirlpool	return $salt;}function en_crypt($password,$salt){   return hash('sha256', $salt.$password);// can use also different algorithm like sha512 or whirlpool}$hashed_password = en_crypt($password,generate_salt());

Is this considered secure and safe enough (in each case)??? How can Improverd it with crypt()??

Edited March 29, 2013 by Lykos22

[Nico]

I would not use md5() for creating the salt. It only returns letters from a-f (all lowercase), and numbers from 0-9. The "lorem ipsum" string you're MD5'ing is actually a much better salt by itself.Although, if you ask me, I would drop all this uniqid() and microtime() stuff, and write a function that returns a real random string, containing a wider range of characters, and perhaps even non-ascii characters.Oh, and in your en_crypt() function, put the salt behind the password. This makes brute forcing harder, or better said, it slows it down. Which is a good thing.

return hash('sha256', $password . $salt);

[Lykos22]

Ok, I've tried to convert it using crypt(), so here is what I've come up with: Case1: in a personal website, where there's only one user, me

$password = $_POST['password'];$salt = "L0r3mIpsUmD0l0rS1tAm3t";$hashed_password = crypt($password', '$2a$12$' . $salt);

Case2: having a site with more than one users

$password = $_POST['password']; function generate_salt() {		$salt = uniqid(sha1("L0r3mIpsUmD0l0rS1tAm3tc0ns3CT3tur4d1p1sc1ng3lit".microtime()));		$salt = substr(sha1($salt), 0, 22);		return $salt;}$hashed_password = crypt($password', '$2a$12$' . generate_salt());

How about this?? Does still needs improvements???

Edited April 3, 2013 by Lykos22