Password Hashing

By | May 29, 2006

In this article I´m going to cover password hashing, a subject which is often poorly understood by newer developers. Recently I´ve been asked to look at several web applications which all had the same security issue – user profiles stored in a database with plain text passwords.

Password hashing is a way of encrypting a password before it´s stored so that if your database gets into the wrong hands, the damage is limited. Hashing is nothing new – it´s been in use in Unix system password files since long before my time, and quite probably in other systems long before that. In this article I´ll explain what a hash is, why you want to use them instead of storing real passwords in your applications, and give you some examples of how to implement password hashing in PHP and MySQL.

As you read on you´ll see that I advocate the use of a hashing algorithm called Secure Hashing Algorithm 1 (or SHA-1). Since I wrote this article, a team of researchers – Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu – have shown SHA-1 to be weaker than was previously thought. This means that for certain purposes such as digital signatures, stronger algorithms like SHA-256 and SHA-512 are now being recommended.Read Full Story

Leave a Reply