Which password hash is more secure?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
cjkeane
Forum Contributor
Posts: 214
Joined: Fri Jun 11, 2010 1:17 pm

Which password hash is more secure?

Post by cjkeane »

I'm wondering which method of password hashing is best for modern apps/sites? is hashing sha256 secure enough or the latter of using password verify. In all my newest projects I want to make sure I code them more securely. Thanks.

$password = hash('sha256', $pass);

OR

$hash = password_hash($password, PASSWORD_DEFAULT);

if (password_verify($user_password, $hash)) {
// Login successful.
if (password_needs_rehash($hash, PASSWORD_DEFAULT)) {
// Recalculate a new password_hash() and overwrite the one we stored previously
}
}
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: Which password hash is more secure?

Post by requinix »

cjkeane wrote:is hashing sha256 secure enough
No. No no no no no.
cjkeane wrote:or the latter of using password verify.
Definitely that.
cjkeane
Forum Contributor
Posts: 214
Joined: Fri Jun 11, 2010 1:17 pm

Re: Which password hash is more secure?

Post by cjkeane »

i value your input! Thank you! In addition to that, what are your thoughts on using hash, plus salt and sha512?
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: Which password hash is more secure?

Post by requinix »

Since PHP added those password_* functions there is no reason to do password hashing on your own. You can learn about algorithms and such for fun, but unless you become fluent in advanced mathematics and have mastered the field of cryptography, let password_hash do it for you.
cjkeane
Forum Contributor
Posts: 214
Joined: Fri Jun 11, 2010 1:17 pm

Re: Which password hash is more secure?

Post by cjkeane »

thanks! i'll use password_hash from now on :)
Post Reply