PHP Developers Network
http://forums.devnetwork.net/

Which password hash is more secure?
http://forums.devnetwork.net/viewtopic.php?f=34&t=143561
Page 1 of 1

Author:  cjkeane [ Thu Apr 27, 2017 2:22 pm ]
Post subject:  Which password hash is more secure?

I'm wondering which method of password hashing is best for modern apps/sites? is hashing sha256 secure enough or the latter of using password verify. In all my newest projects I want to make sure I code them more securely. Thanks.

$password = hash('sha256', $pass);

OR

$hash = password_hash($password, PASSWORD_DEFAULT);

if (password_verify($user_password, $hash)) {
// Login successful.
if (password_needs_rehash($hash, PASSWORD_DEFAULT)) {
// Recalculate a new password_hash() and overwrite the one we stored previously
}
}

Author:  requinix [ Thu Apr 27, 2017 2:32 pm ]
Post subject:  Re: Which password hash is more secure?

cjkeane wrote:
is hashing sha256 secure enough

No. No no no no no.

cjkeane wrote:
or the latter of using password verify.

Definitely that.

Author:  cjkeane [ Thu Apr 27, 2017 3:24 pm ]
Post subject:  Re: Which password hash is more secure?

i value your input! Thank you! In addition to that, what are your thoughts on using hash, plus salt and sha512?

Author:  requinix [ Fri Apr 28, 2017 2:15 am ]
Post subject:  Re: Which password hash is more secure?

Since PHP added those password_* functions there is no reason to do password hashing on your own. You can learn about algorithms and such for fun, but unless you become fluent in advanced mathematics and have mastered the field of cryptography, let password_hash do it for you.

Author:  cjkeane [ Fri Apr 28, 2017 12:41 pm ]
Post subject:  Re: Which password hash is more secure?

thanks! i'll use password_hash from now on :)

Page 1 of 1 All times are UTC - 5 hours
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/