Page 1 of 1

Passwords, hash() with sha-512 or bcrypt?

Posted: Mon Sep 17, 2012 2:24 pm
by batfastad
Hi everyone

Currently I hash passwords using 512bits of per-user salt from /dev/urandom, 512bits of "pepper" from /dev/urandom which is stored in the file system, then hashed using PHP's hash() function and SHA-512.

But I've been reading that perhaps I should be doing this with crypt() and CRYPT_BLOWFISH instead going forward (I believe this is referred to as bcrypt)?
Using something like phpass?

Cheers, B

Re: Passwords, hash() with sha-512 or bcrypt?

Posted: Mon Sep 17, 2012 2:47 pm
by flying_circus
You dont have to use phpass, you can use the build in crypt() functions.

I've been doing some reading myself, and think I will be heading that way with my next login mechanism as well.