-1

I've found many posts on StackOverflow and other sites using Google, but since security is always changing, and what was safe a few months ago not me anymore... I felt the need to ask on here.

Unfortunately my server does not support Blowfish.

I am looking for the most simple way possible to store passwords safely.

gb2016
  • 11
  • 1
  • If you need concrete help doing this in PHP, read [Secure hash and salt for PHP passwords](http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords/401684#401684). – Gilles 'SO- stop being evil' May 20 '13 at 20:01

2 Answers2

0

Time is really the key. Any hashing algorithm that takes sufficient time and doesn't have weaknesses other than speed can be used as long as it is run enough times to make it infeasible to crack using modern GPU based approaches.

Using an established cryptographic hash is preferable, but running thousands of iterations of a fast but reliably random algorithm can work in a jam as long as proper salting is used. (Different salt for each record at a minimum, preferably for each time that a record is written.) The key is to make sure that it is infeasible for an attacker to calculate the passwords in the time period that they are valid for. Keep in mind that GPUs can run many simpler hashes very fast, so the number of iterations required can get high.

AJ Henderson
  • 41,896
  • 5
  • 63
  • 110
0

To "store passwords safely" you would need to look at many factors, since even a top-encrypted data file in public may represent an attack vector.

Since you're specifically asking in relation to PHP 5.2.17, I would like to point you to the multitude of Cryptography Extensions which might (or might not) come installed alongside of your PHP install. Most often (at least, according to my personal experience) you will find that the Mcrypt extension is available. If it is, check the function mcrypt_list_algorithms, which returns an array of all supported ciphers. You'll be sure to find something as good as blowfish (or even better) in there.

Besides that, I don't want to press that "Post Your Answer" button without saying that you will do your security good by storing the data in a safe place. This may be a database, or even flatfile... but in case of flatfile storage, make sure the files are not publicaly accessible to avoid unwanted security holes.

e-sushi
  • 1,286
  • 2
  • 14
  • 41