X51 Posted January 18, 2012 Share Posted January 18, 2012 function hash_password($password, $salt = null) { // create a salt if not already defined if (is_null($salt)) $salt = substr(sha1(uniqid(mt_rand(), true), 0, 10); // $password will be plaintext at this point // $site_key should be a large random string statically // located in a file with secure permissions $hash = hash_hmac('sha512', $password . $salt, $site_key); return array('hash' => $hash, 'salt' => $salt); } $password = 'abcdef'; $pass = hash_password($password); First off I just want to say thank you for the valuable information I have been reading in this topic (for a few days) and I have updated my pages accordingly. My passwords are now salted with a random encrypted string and I am using sha1 but would like to switch to sha512. So I am playing around with some code to learn more about how it works and have noticed that: sha1(test) returns a94a8fe5ccb19ba61c4c0873d391e987982fbbd3 but sha512(test) just crashes the page. Can anyone help me understand why this is? Quote Link to comment Share on other sites More sharing options...
scootstah Posted January 18, 2012 Share Posted January 18, 2012 There is no function called sha512. You have to use hash() or hash_hmac(). Quote Link to comment Share on other sites More sharing options...
X51 Posted January 18, 2012 Author Share Posted January 18, 2012 OK that makes sense. So if this is used to concatenate the password: $hash = hash_hmac('sha512', $password . $salt, $site_key); Would this be correct to read it when logging in to the site? $hash = hash_hmac('sha512', $password . $member['salt'], $site_key); if ($hash == $member['password']) { $id = $member['userid']; $_SESSION['userinfo'] = $id; session_write_close(); header("location: somepage.php"); exit(); } else { $errorMessage = 'Sorry Your Information is Not Recognized'; } and where is a good place to store the $site_key? Quote Link to comment Share on other sites More sharing options...
scootstah Posted January 19, 2012 Share Posted January 19, 2012 Yeah, that looks right. Store the site key in a .php file somewhere, like in a config file with your database connection and whatnot. Make sure it's pretty length, like 50-60 characters. Also, the hash returned by this function will be 128 characters long, so that's how much space you need in your password column. Quote Link to comment Share on other sites More sharing options...
X51 Posted January 20, 2012 Author Share Posted January 20, 2012 Sweet I figured it was time to do some updating, well that and I just like tinkering with php. For me it is more of a rewarding hobby than anything else, but a hobby that comes in handy from time to time. Thanks for the reply. Quote Link to comment Share on other sites More sharing options...
X51 Posted January 20, 2012 Author Share Posted January 20, 2012 Well I have tried many variations of that script I posted and none seem to work. Not sure why. I echo'd back the $site_key and it is there I checked the DB and the code inserts a 128 char string for the password. I checked all my spelling and such, but no luck. Quote Link to comment Share on other sites More sharing options...
X51 Posted January 20, 2012 Author Share Posted January 20, 2012 Never mind I found it. As usual it was a brain fart! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.