开发者

Best algorithm for hashing provided by my host

I am looking for a good one way encryption/hashing for safe storage of passwords using one of the algorithms provided by my host.

Here's a list of all the algoritms provided by the host: http://开发者_JAVA百科www.eresig.tk/hash.php


None of the above. The problem with general purpose hashing functions is that they are fast, which means an attacker could realistically bruteforce a huge amount of passwords very quickly, with the prospect looking bleaker as computers get faster.

Use bcrypt instead, which is built-in to PHP, with support for all platforms starting at 5.3.0. If you are using an older version of PHP, you can set up bcrypt with the Suhosin patch.

The advantage of bcrypt is that it has a work factor which you can set to slow down the hashing process. You are not overly concerned if it takes you a little time more to check if a given password is valid, but it will take an attacker significantly longer to bruteforce passwords.

If you want to go beyond that, you might also want to check out scrypt.


Hashing problem is WAY exaggerated on this enthusiast programmers site. In terms of hashing passwords any algorithm would suffice. Especially when this problem compared to other parts of usual php application. Using some strong hash on a usual PHP site is like using a safe lock on a paper door of a straw hut.

If you really want protect user passwords from being stolen using some vulnerability on your site (while such a vulnerability you ought to be way more concerned of) and then bruteforced and then used against these users on other sites, then the thing you really should care of is password strength and salt, not hashing algorithm itself. No hashing technique would protect silly pass like "1234" or "joe".

So, md5 + strong password + average salt is better than usual password + super-extra-cool_hash and quite enough.


SHA-256 is more than sufficient for password hashes, just make sure to use a different edit salt for each user. The salt could be the user's ID, a 'created on' time-stamp, a GUID tied to that user, etc... You'd append the salt to the plain text password before hashing.

Enforcing some sort of password 'best practice' would help to avoid any brute-force attacks. Don't allow users to use weak passwords (less than N characters, contains characters from only 1 character set, etc...).

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜