2

I'm on a journey of learning everything about information security and as i've read about how to secure a password, i didn't quite understood why should i slow down the hashing of a password and how to do it properly.

Yes, it takes longer to crack it but eventually it will be cracked, even if it happen in years.

Also, it would be great if you can give me some advice on what to add to the below code to secure it more. I really want to make a password to be as secured as it can be.

$password = 'userinput';

$hash = password_hash($password, PASSWORD_DEFAULT);

After some research i understood that password_hash is the best way to do it, because it does all the job properly (salt, crypt algorithm), and the bcrypt(PASSWORD_DEFAULT) is ,for now, the safest to use.Also for storage of the password VARCHAR(255) is the recommended one.

  1. I didn't quite understood what option['cost'] is for, except that it is also used to slow down the hashing.

  2. Should i use a pepper? And how to embed it in the code? Should i store it in database, is it of use later? I've read this post but i couldn't figure out how to replicate it using password_hash as the code above.

  3. Following this blog , if i'm using a pre-hash(pepper) altogether with pass hash, the hash can contain NULL-bytes which are devastating for security, so should i somehow sanitize the 'userinput' to remove the '\0' set of chars? or just do as he says:

  • Use hex output from the pre-hash
  • Base64 encode the raw output of a pre-hash

Please, if any of my statements/questions are wrong, correct me.

A code along with the explanation would be very helpful to me. This would help me a lot to better understand the password security.Thank you

UPDATE: After this question has been marked as duplicate, i found a quite informative post about why is it helpful to slow down hashing. But that was just a point of my entire question.

The 4 points are still unclear and unanswered and i couldn't find almost anything about them in that post.

One thing that i forgot to mention is that i'm coding in php, and would be helpful if the code example would be written in php. Also i don't think that this question is too broad as the topic of the post is simply password securing and not the entire information security. I've seen far more complex and broad questions here than mine.

Community
  • 1
Peter Cos
  • 21
  • 2
  • 3
    Possible duplicate of [How to securely hash passwords?](http://security.stackexchange.com/questions/211/how-to-securely-hash-passwords) – Polynomial Jan 04 '17 at 14:12
  • 2
    The question in its current form is too broad. Most of your questions (should I use a pepper, etc) are also duplicates. You should try to focus your question on one specific point (the question about bcrypt and nullbytes is likely not a duplicate for example) – tim Jan 04 '17 at 16:09
  • @Polynomial , check my update please.I'm pretty sure this is far from a duplicate as tim observed.I really need some guidance which would greatly help me learn better about this topic. – Peter Cos Jan 04 '17 at 18:41
  • This is too broad. Each of your points is covered by other questions herer – schroeder Jan 04 '17 at 18:41
  • @schroeder , the only point of my question that is out of the subject is the number 3 , which i would gladly remove if i'm upsetting anyone.The others are simply about hashing thus strengthening of a password. – Peter Cos Jan 04 '17 at 18:44
  • Actually, I would remove #3 and the parts that you don't need answers for anymore. Then we'll see if you need to narrow it further. – schroeder Jan 04 '17 at 18:47
  • @schroeder , would be great. – Peter Cos Jan 04 '17 at 18:48
  • Welcome to Security Stack Exchange. I'd encourage you to go ahead and ask any clear and concise question if that will help you understand how to hash passwords and why. It's the long-winded discussions that can get you in trouble. Just nice easy to read, clear to answer questions are the best. – 700 Software Jan 04 '17 at 19:13
  • See also: http://security.stackexchange.com/a/138369/764 – 700 Software Jan 04 '17 at 19:14
  • I apreciate the reference, but there are no new info there.I already read those things like 5 times and still a bit confused on how to integrate a pepper in hash(as php code).This is not the only confusion but it seems i won't find any help here.Moderators are more concerned wether my question is too broad or a duplicate rather than helping. – Peter Cos Jan 04 '17 at 19:29
  • This answer provides you with a basic overview of adding a pepper https://security.stackexchange.com/questions/3272/password-hashing-add-salt-pepper-or-is-salt-enough. If you need help coding this in PHP you should try StackOverflow. We're simply trying to keep questions here easy to understand and answer so they are useful to everyone. – PwdRsch Jan 04 '17 at 20:03

0 Answers0