current community

your communities

more stack exchange communities

Stack Exchange
tour help
careers 2.0
Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 0 down vote favorite
1

I found this example how to hash and check the passwords with php. Now I ask myself if this version is a good example.

public function hashPassword($mail, $password, $salt, $rounds='08')
{
   $length = strlen($password) * 4;
   $data = str_pad($password, $length, sha1($mail), STR_PAD_BOTH);
   $string = hash_hmac('whirlpool', $data, SERVER_KEY, true);

   return crypt($string, '$2a$' . $rounds . '$' . $salt);
}

public static function checkPassword($mail, $password, $stored)
{
   $length = strlen($password) * 4;
   $data = str_pad($password, $length, sha1($mail), STR_PAD_BOTH);
   $string = hash_hmac ('whirlpool', $data, SERVER_KEY, true);

   return (crypt($string, substr($stored, 0, 30)) === $stored);
}

Thanks in advanced.

share|improve this question
    
Oooh, please don't call it decrypting passwords, you will start "the rage". Anyhow, why use anything else than bcrypt/scrypt/ppbkdf2? –  JimL Jul 18 '13 at 6:40
    
okay, you're right. It isn't a decrypt function. –  HotPizzaBox Jul 18 '13 at 6:44
    
Actually it isn't encryption either, whirlpool is a hashing algoritm :P Now I just feel like a jerk o.O I'd still recommend a solid, proven routine like bcrypt or pbkdf2 –  JimL Jul 18 '13 at 6:53

1 Answer 1

up vote 2 down vote

The hashing algorithm looks fine to me other than the fact that you are using $2a$ instead of $2y$. From the crypt() man page:

developers targeting only PHP 5.3.7 and later should use "$2y$" in preference to "$2a$"

Also, using 08 as a cost parameter is very weak unless you're using extremely old hardware. You want to try to make it take as long as possible to hash without being an inconvenience to the user. Typically 250 ms is acceptable. On my desktop PC (which is not that modern) this equates to 11, so with a decent server you probably want at least this much. Try playing around with that parameter until you get a number that takes around this long to calculate/verify the hash and use that.

Another fairly big concern is how you are generating the salt, but since we don't see how you do that, there isn't much that can be critiqued.

With all that said, by far the best practice is to forget about making a home brew password hashing algorithm and instead use the password_hash() function built in to PHP. (For PHP < 5.5 you can download the compatibility pack from github).

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.