PHP: Easy and secure password hashing class

Everybody talks about security but most of the people still save md5(password) in their databases. This is not funny. Reversing a simple and even a average password is not that hard.
I once wrote this tiny class that generates secure enough password hashes.

I build in salt and variable interations.
License is GPL so everybody can use it :D

Download / Source

http://juliusbeckmann.de/code/class.password.phps
http://juliusbeckmann.de/code/class.password.php.txt

Usage / Example

$pass = 'MyPassword';
echo $pass, ' => ', password::hash($pass);

Background

What is a "salt" good for?
A salt adds a pretty random string so passwords to make the hash more secure.
The saltless password grandma becomes a5d19cdd5fd1a8f664c0ee2b5e293167.
If you use the salt="!24sf+fs5SDG65-54" then grandma!24sf+fs5SDG65-54 becomes bab9015f430ad28f420581f069f5736f
And nobody would know that bab9015f430ad28f420581f069f5736f was "grandma"

Check it yourself:
Google a5d19cdd5fd1a8f664c0ee2b5e293167 = "grandma"
Google bab9015f430ad28f420581f069f5736f = "grandma!24sf+fs5SDG65-54"
You can clearly see yourself the salted password hash is not known by Google.

What are iterations good for?
Iterations mean you make a hash from a hash.
Again the "grandma" example:
md5(grandma) = a5d19cdd5fd1a8f664c0ee2b5e293167
md5(a5d19cdd5fd1a8f664c0ee2b5e293167) = ce807f095fa160ccce736e007fe74ff1
md5(ce807f095fa160ccce736e007fe74ff1) = e720fe3e6cc002a0eaabf5300283bd56
md5(e720fe3e6cc002a0eaabf5300283bd56) = ...
But be carefull, plain rehashing is not more secure than single hashing.
What makes rehashing more secure is using the salt again what makes the new hash dependent from the previous hash AND the salt.

Related posts:


 
 
 

6 Kommentare zu “PHP: Easy and secure password hashing class”

  1. Jani Hartikainen 31. Januar 2010 um 14:27

    I've read in a few places that md5 is not really a good choice nowadays. sha1 is much better, and at least I've started using it instead of md5.

  2. Julius 31. Januar 2010 um 14:59

    This is basically true. But this information aims mostly for normal hashing routines. The class is intended to produce a hash that is not usual. There are many rumours about hashing out there but not everyone is true. If you want to use sha1() instead of md5(), it is easily exchangeable.

  3. martin 5. April 2010 um 01:05

    I'm testing your class and it works fine but, what about reversing hash data into a human readable word again?

  4. Julius 5. April 2010 um 12:09

    Hi martin,
    reversing is not possible with a hash.
    A hash can be compared with a fingerprint of something. If something has the same fingerprint, it has to be the same thing.
    What you are asking for is a encryption. By using a key you can encrypt and decrypt the data.
    Use hashes for storing passwords. Use encryption for storing sensitive things like credit card numbers.

  5. misterjack 15. Mai 2012 um 11:08

    there is only one true password-hashing-class: http://www.openwall.com/phpass/

  6. Julius 18. Mai 2012 um 23:03

    @misterjack
    I would not use that hashing class, because its code does not apply the common PHP standards.
    Also it is very common code that might have holes that could be misused.