I’m currently looking for the best practice to encrypt and store a user’s password. At this moment i’m storing a ‘secret key’ composed of 16 characters in my JSON configuration and i always concatenate this secret key and the password in order to generate a ‘secure’ password.
How’s it better to approach this situation? Is it secure enough to have 1 key for every password or should i drop this method in favour of good ol’ database password + salt storing?
class PasswordHandler { private $_secret_key; private $_password; public function __construct($password = 'myVeryStrongPasswordThanNoneCouldBreak') { $this->_secret_key = 'i36P8JKnyuvaNDah'; $this->_password = $password; return $this; } public function processPassword() { return hash('sha256', $this->_secret_key . $this->_password); } } echo (new PasswordHandler)->processPassword();
Also:
- Is hashing enough or should i encrypt the password? Is SHA-256 strong enough?
- Which hashing/encryption algo is the best-choice when dealing with passwords?
Kind regards!
Advertisement
Answer
Is SHA-256 strong enough?
It might be ok today, but it won’t be tomorrow. General use hashes are designed to be fast, which is why they’re bad choices for passwords. You want to use a system that’s designed to require a lot of computational work.
Which hashing/encryption algo is the best-choice when dealing with passwords
The only thing you should be using to hash passwords in PHP is password_hash()
and its partner function password_verify()
. If you’re using a version of PHP prior to 5.5, you can use this compatibility pack.
Also note:
$this->_secret_key = 'i36P8JKnyuvaNDah';
Your key is not secret anymore.