Password security: sha1, sha256 or sha512




57 down vote

Do not write your own password-hashing function! Leave this to seasoned cryptographers. Cryptography is hard to get right. Security is hard to get right.

SHA1, SHA256 and SHA512 are message digests, not password-hashing functions.

Currently, the only standard (as in sanctioned by NIST) password hashing or key-derivation function is PBKDF2. Other reasonable choices, if using a standard is not required, are bcrypt and the newer scrypt. Wikipedia has pages for all three functions:

Switching from SHA1 to SHA256 or SHA512 will not improve the security of the construction so much. Computing a SHA256 or SHA512 hash is very fast. An attacker with common hardware could still try tens of millions (with a single CPU) or even billions (with a single GPU) of hashes per second. Good password hashing functions include a work factor to slow down attackers.

Here's another weakness in the above scheme: an attacker can precompute a password hash once and reuse it for every entry in the password file or database. Once the precomputation is done, computing the hashes for these passwords with a given salt value is trivial, because message digests work incrementally. Thus, the precomputations for $password can be reused to compute the hash for $password.$salt for every value of $salt in the password file.

Here are some suggestions for PHP programmers: first, read the PHP FAQ: and then use crypt() or PHPPASS:

2015-04-26 08:21:10gstlouis

2015-04-26 09:49:53