Ok i know this topic is brought up a lot in stackoverflow but they don’t underline the answers that im looking for.
I use md5 encryption which i told(it was a while ago when i was a noob at php)was safe but if you look it up on good old google its has encrypted and decryption.
so i started to look other places aka here.
ive heard about all the encryption methods so for example SHA-1,MD5,SHA-2,SHA-256,SHA-512 and so on.
A lot of people say use Bcrypt which im looking over, its that vs SHA-512.
and people say use a random salt and save it in your database which is stupid because say a hacker hacks you database and get the salt of all your passwords so it’s a small window to change all the salts before the hacker decrypts all the passwords and go on to other places and try them for instance facebook,google and stackoverflow
So my question is it the safest way doing it like this (encrypting (with SHA-512) and using a random salt which will also be stored in a database) or use a fixed salt which is hard wired into my php code which has the same amount of security as the database random salt.
And i have read a lot of posts on this so i think i know what im talking about and i like to impassive that i have read many posts about this about 20 to be precise.
OH almost forgot and is it safer if you encrypt the password multiple times or is about the same as only one encryption?
Thanks for you’r help on a much over written post
Im Sorry for the people im confusing a bit but i didn’t get the point of some other peoples posts and i started rambling on about encryption but i was talking about hashing strings.
sorry for that
First some nitpicking. It is hashing and not encrypting. Hashing is one way. Now to answer your question: don’t use
md5()to hash passwords. It’s not safe anymore. It has been broken for some years now. Not only has there been collisions found (multiple values which result in the same hash), but md5 can be bruteforced really really fast with any decent GPU.You should use bcrypt. It’s the best option for password hashing for now.
No it is not stupid. Salting passwords prevents an attacker creating a rainbow table for all your passwords. ircmaxell has created a password lib for your convenience which can be found on GitHub.
Some related articles and Stack Overflow posts:
Update
When PHP 5.5 will be released it will introduce an easy way to correctly encrypt your passwords. It will use bcrypt by default and automatically add a salt to your passwords. When a better algorithm will become available in the future (e.g. scrypt) it will be able to use that. For more information see the RFC about this new feature. It will also have a feature which detects the used algorithm of the currently hashed passwords and automatically can update them when users login to a newer (/ safer) algorithm when available. For implementation examples check out this GitHub gist.
If you are still on an older version of PHP and cannot update there is a pure PHP implementation of the C API available with support of PHP >= 5.3.7. This compat API uses the exact same implementation as the C API.
Note: it would even be better to use the safer scrypt, however up till now PHP doesn’t support it. If it does at some point I will update this answer.