Secure PHP Password Hashing: Hashing Passwords

Thank you soooo much Alex, I am relatively new to PHP and databases and this helps address one of my biggest concerns, I can't thank you enough for all your hard work and great content you have provided on your channel. You are my best teacher!! Many thanks =)

James-grjo

While this is a good tutorial for the average developer, it's also a bit misleading to those who are actually trying to understand what BCrypt produces in PHP.

First of all, 2y (from the picture at php.net docs) is not an 'algorithm'. That's a signature mode proposing a fix to the high-bit attack issues with the 2a signature. Second of all 14 rounds of Blowfish can be distinguished from a pseudorandom permutation. That doesn't necessarily apply in this scenario as the cost factor is equal to rounds^2 (point is, you shouldn't throw in cost values just like that). Third, I disagree that users shouldn't wait on the hash being generated upon a registration process, for instance. Any additional/higher cost value is slowing the speed of the algorithm twice which itself is a good enough reason to force a 4-5 seconds of delay on average.

keeper

Thanks a lot for clarifying why providing your own salt is a shitty idea. In PHP7 the salt option is deprecated exactly for the reasons you stated.
And just for quick refrerence for people who just see this video (I wrote this in your other video too): Increasing the cost by 1 DOUBLES the number of iterations the hash function does therefore roughly doubling the computing time (computing time is also influenced by other factors like other processes but let's say your CPU would do nothing else but computing bcrypt hashes, increasing cost by 1 would exactly double it).

BC

You used mcrypt at the start then ended with bcrypt. What other algorithms are there?

CallumAtwal

I've already create password hashing long ago.
But can't figure out how to use it when logging?

kerimtim

echo password_hash($_POST['text'], PASSWORD_BCRYPT, array('cost' => 1337));
yolo

Buffalx

In the last video you had us check our php version and mine is 5.217 you had us update to 5.5 I looked on my server 5.2 or 5.3 is the php standard for Godaddy.  My question is if someone does not have php 5.5 will the password not be able to be hashed and get the error :  Fatal error: Call to undefined function password_hash() in /home/content some file name on line 2.  I am very new at this and if this is a dumb question then so be it.  I just enjoy working with the code and doing the Tutorials you make. Thanks!   Joe 

mod

i got this
Fatal error: Call to undefined function password_hash()

my php is
PHP Version 6.0.0-dev

ssalkhalaf

This hash is not secure at all!!
Md5 is a broken hashing algorithm
Please update to a more secure algorithm.

Kklaude

This only works above 5.5 - most hosting is at 5.2 or 5.3

Better tutorial would be about creating hashes manually.

Besides, what's the point of having a functions in php where the docs say what the pattern is? Is't plain stupid for me. Knowing the pattern and having a reverse function password_verify it's much easier to crack a password, than making it manually with manu salts, random numbers etc.

inzMBL