Passwords, hash() with sha-512 or bcrypt?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
batfastad
Forum Contributor
Posts: 433
Joined: Tue Mar 30, 2004 4:24 am
Location: London, UK

Passwords, hash() with sha-512 or bcrypt?

Post by batfastad »

Hi everyone

Currently I hash passwords using 512bits of per-user salt from /dev/urandom, 512bits of "pepper" from /dev/urandom which is stored in the file system, then hashed using PHP's hash() function and SHA-512.

But I've been reading that perhaps I should be doing this with crypt() and CRYPT_BLOWFISH instead going forward (I believe this is referred to as bcrypt)?
Using something like phpass?

Cheers, B
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: Passwords, hash() with sha-512 or bcrypt?

Post by flying_circus »

You dont have to use phpass, you can use the build in crypt() functions.

I've been doing some reading myself, and think I will be heading that way with my next login mechanism as well.
Post Reply