I’m using this code to hash passwords:
hash_hmac('sha512', $password . $salt, $hmac_key);
Is 4096 bits enough for a key?
Thank you!
I’m using this code to hash passwords: hash_hmac(‘sha512’, $password . $salt, $hmac_key); Is 4096
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m using this code to hash passwords:
hash_hmac('sha512', $password . $salt, $hmac_key);
Is 4096 bits enough for a key?
Thank you!
For password hashing? Sure. Just long enough salt will be enough.
You need to realise, what is the purpose of your using hash here. You’re hashing passwords, so that if anyone gets hold of these hashes, they cannot infer original passwords from them. We use salts, so that brute force and rainbow table based attacks are less effective, and we make salts unique for each password, so that two users, using same passwords have different hashes. HMAC does not add anything to security here, except acting as kind of salt.
HMAC is relevant, when you use hashing function as a digital signature of message/file (the way php.net uses it one their downloads page for example). You use HMAC key, so that only people that know this key can verify authenticity of hashed content (as contrasted to php.net downloads, where everyone can check md5 of downloaded file) and to make it more difficult to spoof the message that produces same hash (you need to know the key, to know what hash to target)