Best way to hash a password in PHP

Categories: php

Mostly everyone is fond of using md5() function to hash the password. It can easily be done as follows :

$hash = md5($password);

what if a user enters a weak password ? For example : “abcdef”. If the hash get compromised, anyone can use various brute forcing techniques to crack the hash easily. Thats one of the reason its recommended to always use a salt while generating hash. Salt is nothing but a character string which we would use while generating hash, so even if hash get’s compromised. It would be quite difficult to crack the hash.

$hash = md5($salt . $password);

Suppose $salt = “daf5234Dae”. Now even if the user have a weak password, something like “apple”. The function would md5() $salt.$password, i.e “daf5234Daeapple”. Now this makes it much more harder for a cracker to crack the hash. Now, what if your salt get compromised ? It’s still crackable then.

What we can do is to use various encryption techniques all together. we can generate a salt by generating md5 of our password and encrypting the same using sha1 encryption.We can then generate the final hash using salt and the password.

$salt = sha1(md5($password));
$hash = md5($salt.$password);

Now even if a user uses a weak password, say “apple”. it would be something like

$hash = md5("d342ddfklwe56dfa324kdfkaccde3432kdfkal3bapple");

That would now take millions of years to crack the hash, thus the password could remain secure and safe, even if hash gets compromised.

Let’s see an example hash generated using above technique:

$password = "hello";
$salt = sha1(md5($password));
$hash = md5($salt.$password);
echo $hash;
6a7c034dbdb462ec58357b3fcfd152b4
Tags: , , ,
No Comments

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

«  —  »