22Nov
How to create a better and more secure password hashing function in PHP
Posted by admin as PHP
This function returns a more secure password hash by using SHA1 encryption algorithm with the combination of using a salt,returning a salted hash.Salt is a random bit of data,consisting of upper and lowercase letters with the combination of numbers and special characters to be included in the string you want to hash so we can avoid the possibility of dictionary hacks.If you are using PHP 5.12 or above,you might want to look at SHA2 (sha256,sha384,sha512) encryption algorithm.
The function:
function password_hash($username,$password)
{
$salt = “123456789ThisIStheSalt9876543210″;
return sha1($username . $password . $salt );
}
In this function, I had used a 32-character,combination of upper and lowercase letters and numbers salt.You can change it to whatever random string of data you have come up with.You can also use special characters too!(!@#$,etc.).I have included the username in the parameter of the function so the string to be hashed will be more longer (username + password + salt).
Usage:
if($_POST['register_button'])
{
/* Clean first your post variables against SQL injection and cross site scripting attacks, cleaning function is not included in this tutorial */// hash the password using the inputed username and the password
$hashed_password = password_hash($username , $password);//proceed to inserting details in your database
}
For example, when a user register on your page, his username is “myusername” and password is “mypassword”,we will take his username and password and hash it using the function. The outcome of the hash will be “d6bbfc3af54c4736839fd339715b6698fb7d23e2″ .Isn’t that more secure than storing the plain-text password in your database?Yes it is.Then you’re ready to store the generated hash in the password field of your database.
if($_POST['login_button'])
{
/* Clean first your post variables against SQL injection and cross site scripting attacks, cleaning function is not included in this tutorial */// hash the password using the inputed username and the password
$hashed_password = password_hash($username , $password);//proceed to check if username and password matches in your database
}
When a user logs-in,we will take his username and password and hash it again using the same function.Then we will proceed to validate the username and the hashed password with the details stored in the database.
- Tags: better and more secure password hashing PHP, easy to use function for password hashing PHP, How to hash password with salt tutorial in PHP, How to securely hash passwords in PHP, Password hashing tutorial in PHP, Password hashing tutorial with salt in PHP, PHP function to hash passwords, Salting hash password in PHP, sha1 with salt password hashing PHP, sha256 with salt password hashing PHP, sha384 with salt password hashing PHP, sha512 with salt password hashing PHP
4 Responses to How to create a better and more secure password hashing function in PHP
James Elliott
April 7th, 2011 at 8:55 pm
A better way to hash is:
function password_hash($username, $password) {
$salt = “123456789ThisIStheSalt9876543210″;
return hash(”SHA512″, $username . $password . $salt );
}
Although that is most likely over-kill for most applications.
Andy
July 16th, 2011 at 7:33 am
But if the user ever changes their username, won’t this break? It would require changing the password in the database as well
admin
July 18th, 2011 at 7:57 am
Hello Andy,
Yes, the hashed password will not be valid any more when the user changes his username or password, thus running the function again when updating username/password will be necessary.
Greg
August 2nd, 2011 at 2:36 am
While this is an interesting way to generate unique hashes, it’s best to stick to random salts per user like so: http://www.gregboggs.com/php-blowfish-random-salted-passwords/