CODEWITHSUNDEEP
phpsecuritypasswordssha512
gVoid
gVoid

Reputation: 55

Correct way of using SHA512 encryption

I am trying to use SHA512 algorithm in PHP using function crypt.

My salt:

$salt = base64_encode(substr(str_shuffle("./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz012345‌​6789"), 0, 12));

I get something like this:

Q4CALzJNenFaZnNK

I am not sure why I get lenght 16 while I specified 12.

And to hash the password, I use this:

$hashed = crypt('myPassword', '$6$rounds=5000000$'.$salt);

The output is something like that:

$6$rounds=5000000$Q4CALzJNenFaZnNK$9QTP6C.BZ9Z.U85UIEAVX1dEIdShHFoYGgTMvgv9Cx/XZY1mK/n2rY4FuHSoigjgIXfqGZftZSxrrF.cDBzt8/

Lenght: 121

So my question is it ok to store this password in the database or should I strip $ signs as I saw in few examples?

Also I already store passwords in VARCHAR(255) and I was wondering if I could make the output twice as long, i.e. near 255 characters?

Is this way more secure than for instance Blowfish?

My findings:

The length of a hashed password is not that important as I first thought (60 characters is well enough to store instead of 128 or 256).

It is best to use password_hash function and forget about generating your own salt - php.net know what they do.

So I ended up hashing passwords this way:

$hash = password_hash($password, PASSWORD_BCRYPT, array("cost"=>15));

PASSWORD_BCRYPT is Blowfish algorith with the default cost of 10 (times it runs the algorithm or something). 10 is a good number to slow down the brute force attacks. I wanted to show how you can change the cost manually.

Upvotes: 1

Views: 7158

Answers (4)

Sjoerd
Sjoerd

Reputation: 75659

Also I already store passwords in VARCHAR(255) and I was wondering if I could make the output twice as long, i.e. near 255 characters?

In principle longer is better, so SHA512 is better than SHA256. However, a 120 character hash is already pretty long and there is no advantage to make it even longer. You can increase the length of the salt, but don't try to make the hash longer by appending another hash or something like that.

Upvotes: 0

Tom
Tom

Reputation: 433

  1. You get a larger salt back because of base64_encode will enlarge your 12 character string to a 16 character string (it's encoding does that)
  2. You can store the string fully in one field but if you want easy access to the salt, you could store the salt in another field. (You need the salt again to recheck if the user password input is correct - the salt only makes sure that a hash of the same password wouldn't give the same hash)
  3. Is SHA512 safer as Blowfish? As erickson on stackoverflow said, they are both good enough for the purpose

Upvotes: 1

Sjoerd
Sjoerd

Reputation: 75659

So my question is it ok to store this password in the database

Yes, just store the whole thing in the database, including the $6$ and the rounds=5000000. This makes it possible to switch to another hash type in the future, and you can just use crypt on the whole password to check it.

Upvotes: 0

Sjoerd
Sjoerd

Reputation: 75659

You have this:

$salt = base64_encode(substr(str_shuffle("./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"), 0, 12));

You can simply remove the base64_encode from this to get a 12 character salt. Also note that in your version you have some non-ascii, non-printable characters between the 5 and the 6. That probably causes the binary output. Try this:

$salt = substr(str_shuffle("./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"), 0, 12);

Upvotes: 1

Related Questions