15

What is better with salt for password storage?

MD5:

$hash = md5($password . $salt);

Password_hash:

$hash = password_hash($password, PASSWORD_DEFAULT, $salt);

SHA1:

$result = sha1($salt.$string);
Improve this question
3
  • 1
    I'm voting to close this question as off-topic because it is about analysing security properties and has no programming question. Commented Mar 19, 2015 at 14:40
  • Take a look at stackoverflow.com/questions/2235158/… Commented Mar 19, 2015 at 14:43
  • You are correct. This does deal with security. No programming here as far as I can see. Commented Jun 6, 2016 at 14:56

2 Answers 2

Reset to default
32

You should absolutely use the password_hash() function without providing your own salt:

$hash = password_hash($password, PASSWORD_DEFAULT);

The function will generate a safe salt on its own. The other algorithms are ways too fast to hash passwords and therefore can be brute-forced too easily (about 8 Giga MD5 per second).

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

what about when you need to authenticate and you dont know the salt that has been generated? I am asking to learn. Not to correct.
Never mind.... password_verify() function is used. Leaving my comments for future users with the same question.
3

Salts are great when you are storing lots of passwords, otherwise they are fairly useless since they are stored in plaintext. If an attacker manages to get your hashed passwords, then assume that they can get their hands on your salts. Use SHA-256 because it's a cryptographically strong hash function, and use salts. But most importantly, just use strong passwords combined with strong hashing algorithms.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.