If you're going to hash a password then you may as well do it right.
For the long version, read crackstation.net
For the short (PHP) version, read on!
- Never, NEVER EVER, store the users password. No if's or but's.
- $hash = md5($password) is not very good. Do it better.
- Just because your system is small, not widely used, blah blah blah, whatever your excuse, you should still do it right. You just never know where your code will end up!
Do it right
- Go to crackstation.net/hashing-security.htm#phpsourcecode
- Click on "Download PasswordHash.php"
- Use these (public domain) functions in your code
What it looks like. Code sample:
function validate_password($password, $good_hash)
{
$params = explode(":", $good_hash);
if(count($params) < HASH_SECTIONS)
return false;
$pbkdf2 = base64_decode($params[HASH_PBKDF2_INDEX]);
return slow_equals(
$pbkdf2,
pbkdf2(
$params[HASH_ALGORITHM_INDEX],
$password,
$params[HASH_SALT_INDEX],
(int)$params[HASH_ITERATION_INDEX],
strlen($pbkdf2),
true
)
);
}
No comments:
Post a Comment