0

I have been reading a lot online that MD5 is not very secure, i have decided to switch my site over to use SHA512, i have never done this before so really i am just asking you to check to see if i have done it correctly, or is there an alternative more secure hash method which i can use to store the password ?

$upass is the users password which i need to hash.

Here was my origional PHP with MD5 :

 $uname = mysql_real_escape_string($_POST['uname']);
 $sname = mysql_real_escape_string($_POST['sname']);
 $email = mysql_real_escape_string($_POST['email']);
 $upass = md5(mysql_real_escape_string($_POST['pass']));

Here is my new PHP using SHA :

 $uname = mysql_real_escape_string($_POST['uname']);
 $sname = mysql_real_escape_string($_POST['sname']);
 $email = mysql_real_escape_string($_POST['email']);
 $upass = mysql_real_escape_string($_POST['pass']);

 $upass = hash('SHA512', $upass);

Here is also the hashed string for the word "password" just to make sure the hashing is working.

SHA512 :

b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e

MD5 :

5f4dcc3b5aa765d61d8327deb882cf99

Thanks for any help / advice in advance.

Gumbo
  • 643,351
  • 109
  • 780
  • 844
Bradley Cousins
  • 187
  • 6
  • 17
  • 1
    While you are fixing/updating the code to use "good, modern practices", also use placeholders / parameterized queries and mysqli or PDO. – user2864740 Jul 12 '15 at 00:42
  • 1
    Neither MD5 nor SHA512 are encryption ciphers but cryptographic hash functions. That’s a huge difference: A hash function has no reverse operation while an encryption has (i. e., the decryption). – Gumbo Jul 12 '15 at 06:46

1 Answers1

5

The right way would be to use password_hash using PASSWORD_DEFAULT for the algorithm. That way, you will have a good algorithm (bcrypt, if you have PHP 5.5), which may be automatically upgraded to a better one in future versions of PHP, withouth the need to change your code. The passwords are also hashed with a salt.

GolezTrol
  • 114,394
  • 18
  • 182
  • 210
  • That sound great, I'm not familiar with password_hash, please would you edit my code to accommodate for it please ? – Bradley Cousins Jul 12 '15 at 00:19
  • 1
    In your code it's almost a drop-in replacement for `hash`. Apart from hashing, you also need checking, of course. That is done using [`password_verify`](http://php.net/manual/en/function.password-verify.php). The documentation pages contain examples to get you started. – GolezTrol Jul 12 '15 at 00:23
  • Thats great thank you, I've just added that, is there a way to change the cost ? – Bradley Cousins Jul 12 '15 at 00:25
  • Yes. The third parameter is an array of options, which can contain a cost. – GolezTrol Jul 12 '15 at 00:31
  • @BradleyCouisns The cost *should* cost CPU time and should not be set to lower than the default. The cost is one reason why bcrypt - and *unlike SHA*, of any length - is suitable for a password hash. – user2864740 Jul 12 '15 at 00:43