9

This is the first time I've had to handle personnel information and I want to make sure I have a good amount of security. I will be storing users' emails and passwords for their accounts on a MySQL table, so I was wondering if the password_hash() function is sufficient for hashing.

For example would this be an acceptable amount of security for storing passwords?:

$password = password_hash($password, PASSWORD_BCRYPT);

I would then compare the hashed passwords when a user tries to log in to verify. Also because I don't need the emails for contact purposes, they could be hashed as well.

user38230
  • 93
  • 1
  • 1
  • 3

1 Answers1

9

Using bcrypt is a good start; that's the recommended choice (or at least one of the recommended choices). The documentation seems to indicate that PHP finally does things properly. Make sure that your PHP version is at least 5.5.0. Don't try to fiddle with salts: by default, the function will generate a random salt when needed, and that's the right way to do it, so just let it do its job.

You should try to alter the "cost" option as well. For bcrypt, the cost is a value ranging from 4 to 31; each increment means that the password hashing is twice as expensive, both for your server and for the attacker. In practice, you want to make that value as high as can be tolerated, given your server power, average load, peak load, and maximum user patience: this will give you the best security that you can hope for.

(Note that I said "the best", not "good".)

If you want to understand the underlying concepts for good password hashing, and why bcrypt is a good choice, start here.

Tom Leek
  • 170,038
  • 29
  • 342
  • 480
  • A bit more about the cost option, I'd suggest it is good to aim for ≤ 100 ms hashing time (for interactive logins). Here is some more detail: http://timoh6.github.io/2013/11/26/Aggressive-password-stretching.html – timoh Jan 31 '14 at 13:39