Rightly hashing password

[Boaz Rymland]

So, what's your technique for password hashing?

1. Clear text?
2. md5() hashing?
3. md5/sha1() + common salt?
4. md5/sha1() + per-user salt?

If you chose one of the above methods then you quickly need to learn a bit more. You must advance to using stronger hashing methods than md5/sha1. Stronger means a method that enforces the hacker to have huge hardware/money resources in order to crack your passwords. How? md5() (sha1() is a little better than it, but on the same magnitude) is a fast hashing algorithm. The fast is its drawback. It means that running brute force dictionary attack attempts on your hashes (what is known as rainbow attacks) is rather easy and fast to do. bcrypt OTOH, takes much longer to perform the hash, by design.

There's a prominent class/library in PHP called PHPAss that implements decent password hashing methods. 

Yii has a new extension that wraps that library (not that it was a big challenge to do it alone).

Want to read more? See:

• Useful blog post on the subject, covering the first 4 options above: http://arr.gr/blog/2012/01/storing-passwords-the-right-way/
• This stackoverflow discussion.

I just learnt the above and thought I'd share it with you.

A Gitte Shabbes,

Boaz.