Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
So I heard md5() and sha1() are both outdated and potentially broken. I’ve heard that crypt() isn’t a viable solution as well.
If that’s the case, can anyone point out what are the current up to date cryptography good practices in PHP? I’ve searched the web but didn’t find anything that looked up to date/potential.
Hash plus salt alone is outdated, too, and generally no longer endorsed in password hashing schemes. It’s too easy to calculate such hashes in parallel (even with individual per-user salts), a resourceful attacker is most likely able to break such a scheme.
You should use some form of iterative hashing instead. In addition to applying salts to your passwords, such an algorithm artificially slows the entire hashing process down (cryptographic hashes are generally designed to be as fast as possible while upholding a fixed “security margin”). Suitable primitives to reach this goal are generally considered to be the bcrypt, scrypt or PBKDF2 algorithms. See for example this answer for a discussion on how to use bcrypt in PHP.