Page 1 of 1

Which password hash is more secure?

Posted: Thu Apr 27, 2017 2:22 pm
by cjkeane
I'm wondering which method of password hashing is best for modern apps/sites? is hashing sha256 secure enough or the latter of using password verify. In all my newest projects I want to make sure I code them more securely. Thanks.

$password = hash('sha256', $pass);

OR

$hash = password_hash($password, PASSWORD_DEFAULT);

if (password_verify($user_password, $hash)) {
// Login successful.
if (password_needs_rehash($hash, PASSWORD_DEFAULT)) {
// Recalculate a new password_hash() and overwrite the one we stored previously
}
}

Re: Which password hash is more secure?

Posted: Thu Apr 27, 2017 2:32 pm
by requinix
cjkeane wrote:is hashing sha256 secure enough
No. No no no no no.
cjkeane wrote:or the latter of using password verify.
Definitely that.

Re: Which password hash is more secure?

Posted: Thu Apr 27, 2017 3:24 pm
by cjkeane
i value your input! Thank you! In addition to that, what are your thoughts on using hash, plus salt and sha512?

Re: Which password hash is more secure?

Posted: Fri Apr 28, 2017 2:15 am
by requinix
Since PHP added those password_* functions there is no reason to do password hashing on your own. You can learn about algorithms and such for fun, but unless you become fluent in advanced mathematics and have mastered the field of cryptography, let password_hash do it for you.

Re: Which password hash is more secure?

Posted: Fri Apr 28, 2017 12:41 pm
by cjkeane
thanks! i'll use password_hash from now on :)