Hashing Password

Question

Possible Duplicate:
password hashing

What is the best practice to hash the password?

I did the following:

$salt = 12345;
$hash = hash("sha256", $_POST['password'] . $salt);

Is there a better solution and secure?

Answer 1

I personally suggest using bcrypt. The main reason is that it is slow. This helps slow down attacks on the hash. If you use a password with a salt this should make things more difficult if your hash lists ever do fall into the wrong hands.

Here is an article that explains more about it:
http://codahale.com/how-to-safely-store-a-password/

Answer 2

It's referenced in another answer I'm looking for, but I'd use this: http://www.openwall.com/phpass/

Other versions of this questions: How can I store my users' passwords safely?

Answer 3

This method is secure. Using a salt value greatly increases the complexity of breaking the encryption. For best practice I would use a large salt value.

Answer 4

It would be better to use multiple rounds. The crypt() function in PHP implements this.

Answer 5

The point of salting password hashes is that the salt should be different for each stored hash. That way, an attacker can't use a single precomputed hash dictionary against all the hashes (he'd need a separate dictionary for each salt value). In addition, two users with the same password won't have the same hash, so someone looking at the list of hashes won't be able to tell that the users' passwords are the same.

This other SO question has more information.

Answer 6

A constant salt is useless. Instead, you should use something interesting, like username or timestamp of the user.

The whole point of a salt is to prevent a birthday attack where they hash a bunch of passwords without salt (or with a constant salt) and compare to the stored hashes.

Also a slower algorithm for hashing is always best to increase brute force times.