Hashing a password

If you're going to hash a password then you may as well do it right.

For the long version, read crackstation.net

For the short (PHP) version, read on!

1. Never, NEVER EVER, store the users password. No if's or but's.
2. $hash = md5($password) is not very good. Do it better.
3. Just because your system is small, not widely used, blah blah blah, whatever your excuse, you should still do it right. You just never know where your code will end up!

Do it right

• Go to crackstation.net/hashing-security.htm#phpsourcecode
• Click on "Download PasswordHash.php"
• Use these (public domain) functions in your code

What it looks like. Code sample:

function validate_password($password, $good_hash)
{
    $params = explode(":", $good_hash);
    if(count($params) < HASH_SECTIONS)
       return false;
    $pbkdf2 = base64_decode($params[HASH_PBKDF2_INDEX]);
    return slow_equals(
        $pbkdf2,
        pbkdf2(
            $params[HASH_ALGORITHM_INDEX],
            $password,
            $params[HASH_SALT_INDEX],
            (int)$params[HASH_ITERATION_INDEX],
            strlen($pbkdf2),
            true
        )
    );
}

More PHP grief

I'm sorry, but I just have to link to this article:

I'm sorry, but PHP sucks

For example, from Point 3:

(string)"false" == (int)0> is true

Look, if you use PHP regularly, it's worth reading the good and the bad to better understand your tool. And in any case, he does finish with this:

That said, I am a huge advocate for choosing "the right tool for the job" and that, or course, means that you might want to choose PHP under the right circumstances. I'll give you a few examples:
- You have found the ideal framework or base for your software and it's written in PHP
- You already have a huge investment in PHP technology
- Your time-constraints do not allow you to learn something else