Using secure hash passwords

When working with passwords in your PHP application you want to safely transfer them between different services. Insecure passwords can even be viewed in your internal network.
This is especially the case when there's no HTTPS SSL connection used. I will explain how you can hash passwords to make them less insecure when sending through an internet or network connection.

First off I want to make clear there a various kinds of hashing engines which some of them are stronger than the other.

The SHA-1, SHA-256 and MD5 algorithms are the three most common cryptographic hash functions we use today.
This is an example of a normal PHP hashing :

$hashed_password = sha1("secretpassword");

The MD5 hash function being the least strong and SHA-256 being the strongest.

For even MD5 the least strong one it would takes ages to crack it and usualy isn't worth the effort or time.
However there is a way to circumvent decoding hash. This can be done by the so called rainbow table dictionary.

Rainbow tables are just huge databases of hash strings with the corrosponding real string. Instead of
having to crack every single hash hackers just decided they would create a database of all possible hashes
with the real string attached to it.

To combat rainbow tables I recommend salting your password. Adding extra "salt" to spice up your password will make it realy hard to find the matching hash string.

In the following example we can see how salt is added :

$password = "secretpassword";
$salted_password = "salt" . $password . "salt";
$hashed_password = sha1($salted_password);

Make sure the salt string is something random, and that is unlikely to be found in a dictionary. You might ask why can't I just come up with a realy strong password. You can, but when creating an application for users you should'nt trust passwords for their strength.

Posted by James on 2009-05-07 in the category " php "