How to go about encrypting user login passwords for a website

Question

I'm developing a website for a company, and they require login verification in order to use some of the services that this company provides. Using common sense, I know that I need to encrypt the user's password when saving it to a database. Not a problem, I can simply implement a hashing algorithm and store the hash (or something, I still need to troll StackOverflow to figure out the best way to save this information, but that's not what I'm asking).

What I'm curious about is how to actually execute the encryption algorithm. Is that a stand-alone program on the server that will encrypt the password and then store it? Or would I have to use a PHP module to encrypt the password? Or is it something else that I'm not thinking of?

Any and all answers are appreciated, and if I worded anything poorly, I'm counting on you to call me out on it ;)

score 5 · Accepted Answer · edited May 23 '17 at 11:55

5

PHP's built in hashing methods works well. No need to call inn third party libraries. You should take a look at the hash() function. Remember to use a strong salt when saving the hash. There should be plenty of good articles around the internet about this, and also here.

As pointed out by drrcknlsn in a comment, md5 and sha1 would bad choices since they are considered broken.

Also, as Grexis points out in his answer, PBKDF2 is also one method the you could look into.

edited May 23 '17 at 11:55

Community

1
1

answered Dec 23 '11 at 19:31

Audun Larsen

958
5
7

Is there an difference between hash("md5","somestring") and md5("somestring")? – Corubba Dec 23 '11 at 19:36
2

Short answer: No. But as md5 is "broken" i would recommend using a stronger algorithm like sha256. And for that you need hash(). – Audun Larsen Dec 23 '11 at 19:39
1

+1 for recommending `hash()`. Might also want to mention not using it with md5 and sha1. – FtDRbwLXw6 Dec 23 '11 at 19:39

score 1 · Answer 2 · answered Dec 23 '11 at 19:47

I realize that this question has already been answered, but here is a hashing function that I use. It's a PHP PBKDF2 Implementation (described in RFC 2898):

public static function hash($p, $s, $c = 5000, $kl = null, $a = 'sha256'){
    $hl = strlen(hash($a, null, true));
    if(is_null($kl)) $kl = $hl;
    $kb = ceil($kl/$hl);
    $dk = '';
    for($block = 1; $block <= $kb; $block++){
        $ib = $b = hash_hmac($a, $s.pack('N', $block), $p, true);
        for($i = 0; $i < $c; $i++)
            $ib ^= ($b = hash_hmac($a, $b, $p, true));
        $dk .= $ib;
    }
    return substr($dk, 0, $kl);
}

More information here: Encrypting Passwords with PHP (The function above is only slightly modified from this location to provide default values)

How to go about encrypting user login passwords for a website

2 Answers2

Linked