Home / Snippets / password_hashing_salts

This section is new and undergoing snippet addition, as of 13/6/11

Password Hashing/Salts

Storing a plain text password anywhere is never a good idea, it is highly recommended to hash your passwords before storing them.

The most common way to do this is to run it through the SHA1() function.

For example:

<?php
$password = "password";
$password = SHA1($password);
?>

The password variable would now be equal to: "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8" So if someone somehow gained access to your users' passwords, they will still not be able to login to any of their accounts unless they knew the plain text version of the password.

If you wanted to go further than just hashing, you could also use a password salt.

E.g.

<?php
$password = "password";
$salt = "~!SALT!~";
$password = $password . $salt;
$password = SHA1($password);
?>

The value of $password would now equal: "366902307395a43a02580b2d24a39d9154520367" Making it even harder to crack, especially if the salt is unknown to the "hacker".

You may also want to look into using a random salt for each user, so that if two users have the same password, they will appear to be different based on their hashed value, again adding a level of difficultly to cracking them.

See: http://phpsec.org/articles/2005/password-hashing.html

Comments

No Comments Have Been Made