We have introduced and discussed importance of hashed passwords. To create strong hashed passwords, we must understand some terminology related to it and then we will see how to create strong salted hash password by example in PHP.
What is Cryptographic hash function?
A cryptographic hash function is a special class of hash function that has certain properties which make it suitable for use in cryptography. It is a mathematical algorithm that maps data of arbitrary size to a bit string of a fixed size (a hash function) which is designed to also be a one-way function, that is, a function which is infeasible to invert (Source : Wiki).
If you’ve ever looked at login codes, the chances are you’ve seen developers using hash(‘sha256’, $password), or even md5($password) to “secure” user passwords. Passwords hashes generated this way are laughably easy to cracks; with weak algorithms and no salting or stretching in places you’re almost giving your passwords to an attacker who gains access.
· MD5 was initially designed to be used as a cryptographic hash function, it has been found to suffer from extensive vulnerabilities (Source Wiki).
· SHA-1 is no longer considered secure against well-funded opponents. In 2005, cryptanalysts found attacks on SHA-1 suggesting that the algorithm might not be secure enough for ongoing use [Source : Wiki].
· SHA-2, not often used for now, is the successor of SHA1 and gathered 4 kinds of hash functions: SHA224, SHA256, SHA384 and SHA512. It works the same way than SHA1 but is stronger and generate a longer hash.
· BlowFish is a symmetric-key block cipher, included in a large number of cipher suites and encryption products. Blowfish provides a good encryption rate in software and no effective cryptanalysis of it has been found to date.
What is Salting?
A salt is a random data that is used as an additional input to a one-way function that “hashes” a password or passphrase. To salt a password we add a few random characters to it before hashing so that the same password will results in a unique string each time it is hashed, negating rainbow table attack and making it necessary to crack each password individually. Salts are usually stored alongside the hash and must be used when checking password against the hashes.
The password_hash() in PHP function salts, stretch, and by default chooses the best hashing algorithms to use at the time of execution, meaning that we never have to worry about choosing an algorithm, or even updating our code to use to stronger algorithm as time moves on – if a better algorithm becomes available, the function will start using it for new hashes.
Here’s an example of how to use this function:
<?php // PASSWORD_DEFAULT is a constant designed to change // over time as new and stronger algorithms are // added to PHP. // 'ub3rs3cur3' is password to be hased. // http://php.net/manual/en/function.password-hash.php $hash = password_hash('ub3rs3cur3', PASSWORD_DEFAULT);
// password_verify() verifies that a password matches a hash // http://php.net/manual/en/function.password-verify.php echo password_verify('ub3rs3cur3', $hash)? 'Correct password!' : 'Incorrect password!'; ?> |
Hashes start with algorithms information, costs, and 22 alphanumeric salt characters, followed by the hashed password:
$2y$10$Ka3/TxAu3UrGX4E8suGkKO4V43dK9CcF.BTT5P8OzOO7/PRjqFn0a
$2y$10$6kf8iQDut0i7AOx2TULi1O9I5yxdSfX/T7HRy2KbMmliaYo4fLR.i
$2y$10$fPEY1vxgP15wwpfPdA22WOhkMqvmLsZtfzn9sr3rCw2V4N1tbEyle
$2y$10$878u5R1q8tP3karLHwBbAOfax8ybPt43U3F6lG9oOV5w9yfj/k1cq
That’s all it takes to generate and verify a reasonably secure passwords in PHP. At the time of writing, Blowfish is the default best algorithm and a 60-character hash is generated, however as the PHP manual page note(References), creating a password databases field with a length of 255 characters may not be a bad idea to allow for future algorithmic expansions for secure coding.