1

I have this hash class that I need to convert from SHA256 to bcrypt because I'm using it to store passwords. I can't seem to translate the documentation to my situation. 

<?php
class Hash{
    public static function make($string, $salt = ''){
        return hash('sha256', $string . $salt);
    }

    public static function salt($length){
        return mcrypt_create_iv($length);
    }

    public static function unique(){
        return self::make(uniqid());
    }
}
Improve this question
6
  • php.net/manual/en/function.password-hash.php Commented Jan 28, 2016 at 1:21
  • 1
    you can just use password_hash as it uses bcrypt by default Commented Jan 28, 2016 at 1:23
  • As I said in the question itself, I cannot translate the documentation to my particular situation. Commented Jan 28, 2016 at 1:23
  • So you're saying just use it inline and don't make a class for it, Dagon? Commented Jan 28, 2016 at 1:25
  • 2
    potato potato, you want a class use one, you dont, dont, its not very relevant here Commented Jan 28, 2016 at 1:28

1 Answer 1

Reset to default
3

The best way seemed to be to just change the logic in the forms from 

password_hash(Input::get('password'),PASSWORD_DEFAULT),

to 

password_hash(Input::get('password'), PASSWORD_BCRYPT, array('cost' => 12)),

My existing password_verify worked from my user class.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Congratulations on moving to a more secure algorithm! It would be wise to increase your cost value to something higher - try 14 or 15 and see how it works.
Would you say 12 is reasonably crackable? I know it is an exponential thing and there is always the speed vs security tradeoff.
I say bring it up until you see noticeable slowdowns on a single login, and then back down one notch. Repeat for hardware upgrades. Remember that if you have 16 cores in the server, you can lbe hashing 16 different people's passwords during that same time, so if you had it set to run at about one third of a second, you could have 48 logins per second; that's 2,880 logins per minute, or 172,800 logins per day. Passwords should only be hashed on actual (attempted) logins, so mere app usage doesn't affect that much (unless it's a very CPU intensive app).
Yeah. That makes sense. It is a php app that I distribute so people set their own settings, but I can definitely mess with the default a bit to make it more secure to begin with. Thanks for the advice.
Don't forget to convert old hashes to the new format as they log in (i.e. during the window of time you have their plaintext), assuming you're going to have hold and new hashes in the system a the same time. Don't just let the old hashes persist when you can upgrade them safely and transparently!
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.