开发者

PHP rewriting password hashing function what algo to use?

I'm rewriting my password hashing func开发者_StackOverflowtion.

It currently uses sha1.

I'm thinking about using sha512.

Am I right to think that sha512 is sha2?

Is this currently the standard for hashing passwords or should I use another hashing algo?


I would suggest using bcrypt to hash passwords.

This site gives some good background on the issue: http://codahale.com/how-to-safely-store-a-password/


SHA-2 uses four different bit sizes:

hash functions with digests that are 224, 256, 384 or 512 bits.


It should suffice to say whether bcrypt or SHA-512 is good enough. And the answer is yes, either algorithm is secure enough that a breach will occur through an implementation flaw, not cryptanalysis.

If you insist on knowing which is "better", SHA-512 has had in-depth by NIST and others. It's good, but flaws have been recognized that, while not exploitable now, have led to the the SHA-3 competition for new hash algorithms. Also, keep in mind that the study of hash algorithms is "newer" than that of ciphers, and cryptographers are still learning about them.

Even though bcrypt as a whole hasn't had as much scrutiny as Blowfish itself, I believe that being based on a cipher with a well-understood structure gives it some inherent security that hash-based authentication lacks.

So, my recommendation of bcrypt stems from the assumptions 1) that SHA-2 family of hash functions has better scrutiny, and 2) that cryptanalytic methods for ciphers are better developed than those for hash functions.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜