My hasher class good enough?

[Zephni]

I just made this mini class for hashing passwords, is this all there is to it? Setting a salt string, and hashing the string using something like sha1(md5($salt.$password))

 

<?php
class MyHash {
	private $salt = "a6B2yj90sZ34";

	public function set_salt($salt){
		$this->salt = $salt;
	}

	public function	hash_string($string){
		return sha1(md5($this->salt.$string));
	}

	public function check_hashed_string($user_input, $correct_pass){
		if($this->hash_string($user_input) == $correct_pass){
			return true;
		}else{
			return false;	
		}
	}
}
?>

[ignace]

Read http://www.codinghorror.com/blog/2012/04/speed-hashing.html

[Zephni]

To be honest I couldn't get much more from that article than needing to generate a random salt for each user and using stronger encryption methods. So the class should be more like:

 

<?php
class MyHash {
	private $salt;

	public function generate_random_salt($salt){
		$this->salt = "a random string of quite a few characters";
	}

	//The rest

 

To be honest xyph has suggested using PHPass, which sounds like the safest way to go rather than making my own class.

[ignace]

To be honest xyph has suggested using PHPass, which sounds like the safest way to go rather than making my own class.

 

The first rule of security is to always assume and plan for the worst. Should you use a salt, ideally a random salt for each user? Sure, it's definitely a good practice, and at the very least it lets you disambiguate two users who have the same password. But these days, salts alone can no longer save you from a person willing to spend a few thousand dollars on video card hardware, and if you think they can, you're in trouble.

 

PHPass is a good idea as a minimum security measure. Unless you are storing more sensitive information like credit card info and such, which I doubt.

[Zephni]

Thanks, I just read my reply and realised I didn't sound very thankful for the link to the article. It actually was very inciteful. Thanks

[El Chupacodra]

I would also recommend you read this article on php.net:

http://se2.php.net/manual/en/faq.passwords.php

 

Modern video cards are capable of ten million password attempts a second or more so security is important.

[xyph]

Mid-range video cards, cooled properly, will calculate well over a billion MD5's per second. Around half a billion SHA-1 per second.

 

A proper key stretch will take that number down to a million, which is much less feasible.

 

PHPass is a good idea as a minimum security measure. Unless you are storing more sensitive information like credit card info and such, which I doubt.

 

PHPass would be terrible for storing CC numbers, as it's design to be one-way IMO, storing CC numbers is something you should never do, unless you're running some sort of payment gateway. Even a subscription service, it's hard to justify that kind of liability when the overhead of using PayPal et al is relatively small. Regardless, safe storage of CCs is well beyond the scope of this discussion board, IMO.

 

I'm also kind of curious what you'd use beyond PHPass for password hashing?

[ignace]

I'm also kind of curious what you'd use beyond PHPass for password hashing?

 

bcrypt probably. I've never used it though. So far I have never had a case that had such a high security concern. And if the project does have to handle sensitive data, we employ licensed third-party software. Because it's better to be able to point the finger at someone other than you