I started reading about password hashing recently on multiple sites like this page on crackstation and others, and for what I have understood, I should avoid using hashing algorithms like md5 and sha1 for they are outdated and instead, I should use sha256 with salt. But, after reading this page on the php manual, I noticed that they discourage the use of even sha256 and instead they recommend using the password_hash() functions. I also noticed that most of this articles/pages were written in the interval of 2011-13, so I am not sure of how secure sha256 hashed password with salts are nowadays and whether or not it should still be used in webapps.
Asked
Active
Viewed 4.4k times
24
-
5**DO NEVER USE A SINGLE HASHING ITERATION FOR PASSWORDS**. Please use scrypt/PHC-Winner/bcrypt/PBKDF2-HMAC-SHA256, as they're built to defend passwords. – SEJPM May 25 '15 at 18:45
-
possible duplicate of [Please help clarify password hashing - salted, multiple iterations of MD5 vs bcrypt/sha2, etc](http://security.stackexchange.com/questions/76282/please-help-clarify-password-hashing-salted-multiple-iterations-of-md5-vs-bcr) and the more general [How to securely hash passwords?](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords) – tim May 25 '15 at 20:02
3 Answers
30
General-purpose hashes have been obsolete for passwords for over a decade. The issue is that they're fast, and passwords have low entropy, meaning brute-force is very easy with any general-purpose hash. You need to use a function which is deliberately slow, like PBKDF2, bcrypt, or scrypt. Crackstation actually explains this if you read the whole page. On the other hand, MD5 and SHA-1 aren't weaker than SHA-2 in the context of password hashing; their weakness is not relevant for passwords.
cpast
- 7,263
- 1
- 30
- 35
-
2Does this answer not apply in the scenario where passwords actually have high entropy? – NH. Sep 29 '17 at 21:31
-
@NH. Passwords cannot have high entropy. They need to be remembered by humans. Even the infamous password of 'correct horse staple battery' is relatively easy to crack once you understand the RULES people use. The Shannon entropy is what matters when cracking passwords. – christopher clark Oct 17 '17 at 13:56
-
@christopherclark "They need to be remembered by humans." Please drag yourself out of the dark ages, and into the light of password managers. I don't bother to remember passwords for 99.99% of the sites I have (A) because I don't need to and (B) because it's impossible anyway. They're random strings of 24 characters from an alphabet with a little over 6 bits entropy per character, or about 150 bits across the entire password. e.g. `Ty^Muqd23k@oTxKVxoYH&Lus` or `yh%yL3L~$CKtJ3~Wr@SmJcVA` or `7ZJE@Uh3~%fRgcDM3FFEVwJ` or `&4~@eEjNdnRRoPmoycWeUDxt`. – dgnuff Feb 11 '23 at 01:12
21
As @cpast says, the main problem of a single SHA-256 is that it is way too fast. An attacker with an off-the-shelf gaming GPU can try passwords at a rate that is counted in billions per second (American billions, but that's still a lot).
Another problem is that there is potential for combining things improperly. SHA-256 is a hash function: it takes one input, and produces an output. If you feed SHA-256 with a password and a salt, then you are really defining your own cryptographic protocols, based on SHA-256 with some extra things, the extra things telling how the password and the salt are combined to make the SHA-256 input. Designing cryptographic protocols is known to be hard, notably because there is no reliable test for security. You cannot know whether you did right. (Well, when your server has become hosts to a full party of hackers connecting from a dozen different countries you had never heard of, then you know that you did wrong, but it is a bit too late...)
Proper password hashing has a theory. Read this answer as a primer on the subject.
Thomas Pornin
- 322,884
- 58
- 787
- 955
-
2In every theory there is a practice. The so very much *feared* "extra things" is as simple as `pwd = salt + pwd`. **That's all**, no? – Pacerier Sep 10 '16 at 02:55
13
sha256 is not designed to hash passwords. To hash passwords, you should prefer to use hash functions created for this usage. You will find all required information below in another question addressing a similar request: Most secure password hash algorithm(s)?.
In the above mentioned question, you will learn why general purpose hash functions like sha256 do not have the right properties to ensure a secure storage of passwords (even when applied a large number of times on itself), and you will also find a ranking of the most-recommended hash functions dedicated for secure passwords handling:
- scrypt: Which is still quite new (published in 2012), but is designed to ensure better security than its predecessor bcrypt,
- bcrypt: It was designed specifically for password storage and was the recommended choice for a long time,
- PBKDF2: It's actually designed as a key stretching function, ie. a secure way to derive a cryptographic key from a given password, but its properties make it also suitable for password storage.
In your question you mentioned the PHP function password_hash(). This function is not a hash algorithm per se. In fact, this function is used to allow PHP to select the most trusted password hash algorithm available without having to modify your code.
As indicated in the documentation, as per PHP 5.5.0, bcrypt is selected by default.
Mike Ounsworth
- 58,107
- 21
- 154
- 209
WhiteWinterWolf
- 19,142
- 4
- 59
- 107
-
1One of the ways scrypt improves over the others is that not only does it make the hash computationally intensive in terms of CPU cycles, it also requires huge amounts of *memory* to perform each hash as well, which makes it harder to compute hashes massively in parallel (eg, using GPUs). Note: these algorithms are scalable in that when you perform the hash you specify how many "rounds" ie how computationally intensive the hash will be, so it's possible to make any of them faster but easier to compute, or harder to compute but slower. – thomasrutter May 26 '15 at 01:28