1

Possible Duplicate:
Secure hash and salt for PHP passwords

I want to hash the passwords of the users.

I will use a salt.

In the past, I have used md5 but clearly, this is a very outdated way of hashing passwords now.

Is sha256 or sha512 better for effectiveness, not speed.

Thanks.

Community
  • 1
  • 1
sark9012
  • 4,905
  • 16
  • 52
  • 90
  • There are lots of answers on this site, but http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords might interest you. – Konerak Jun 21 '11 at 12:20
  • 3
    Just to mention: Using slower algorithms also makes it harder for attackers to brute force the hashes. Usually the difference negligible when just hashing single passwords, but attackers must hash thousands of them. What I want to say: Here (exceptional) slower is better ;) – KingCrunch Jun 21 '11 at 12:29
  • As KingCrunch said you need the calculation of your hashes to be expensive. Hashing password's is a difficult task to achieve correctly and you should use `a portable public domain password hashing framework` => http://www.openwall.com/phpass/ – Alfred Jun 21 '11 at 12:35
  • This ain't a damn duplicate. The only related posts you guys link to are 2.5 years old. Things have changed. – seriousdev Jun 21 '11 at 12:41
  • 1
    @seriousdev: How exactly have they changed? Moore's law still holds, md5 is significantly broken, sha512 isn't, and neither is bcrypt (the work factor went up by 1.something as expected). Meanwhile, people are merrily storing passwords in plaintext. I see no significant change, do you? – Piskvor left the building Jun 21 '11 at 15:31

2 Answers2

1

Define "effectiveness". Obviously, sha512 is more secure, slower and less disk space-efficient than sha256.

Felix
  • 84,032
  • 41
  • 145
  • 163
1

for hashing using a salt I recommend the HMAC method (implemented in PHP’s hash_hmac())

Dormilich
  • 927
  • 5
  • 11