PHP Classes

This is wrong and misleading

Recommend this page to a friend!

      PHP Classes blog  >  6 Common PHP Security...  >  All threads  >  This is wrong and misleading  >  (Un) Subscribe thread alerts  
Subject:This is wrong and misleading
Summary:Your advice is harmful
Messages:7
Author:Scott Arciszewski
Date:2015-12-21 03:47:21
Update:2016-03-02 18:55:27
 

  1. This is wrong and misleading   Reply   Report abuse  
Picture of Scott Arciszewski Scott Arciszewski - 2015-12-21 04:18:29
"Sensitive information such as passwords must be hashed using at least SHA1 or a stronger hashing algorithm like those implemented by the password_hash() function."

NO! You should NOT use SHA1 for passwords. This is a terrible idea.

Read this:

paragonie.com/blog/2015/08/you-woul ...

  2. Re: This is wrong and misleading   Reply   Report abuse  
Picture of jimmydorry jimmydorry - 2015-12-21 04:53:10 - In reply to message 1 from Scott Arciszewski
It says _atleast_ , but yes... SHA1 is a bad recommendation.

  3. Re: This is wrong and misleading   Reply   Report abuse  
Picture of Scott Arciszewski Scott Arciszewski - 2015-12-21 17:15:25 - In reply to message 2 from jimmydorry
"At least X" implies X is acceptable.

The only acceptable answers are:

1. password_hash() and password_verify()
2. PECL scrypt
3. PECL libsodium

  4. Re: This is wrong and misleading   Reply   Report abuse  
Picture of Atif Shahab Qureshi Atif Shahab Qureshi - 2015-12-22 17:40:03 - In reply to message 2 from jimmydorry
First of all, thank you so much for sharing your knowledge. Now, i have just mentioned there passwords must be hashed using at least SHA1 or a stronger hashing algorithm . It means that SHA1 is the least preferred choice. SHA1 and MD5 have limitations too. What i meant was passwords should always be validated using encrypting functions.

  5. Re: This is wrong and misleading   Reply   Report abuse  
Picture of Manuel Lemos Manuel Lemos - 2015-12-22 18:41:29 - In reply to message 4 from Atif Shahab Qureshi
Yes, password_hash is more recommended not just because it uses stronger hashing algorithms but also because there is a cost factor that determines how many times the hashing should be applied, thus making it much more expensive to compute the hashes and find the original password with brute force methods.

The only matter about password_hash is that it requires PHP 5.5 and not everybody is on that PHP version yet.

Anyway, as moderator I have changed the text to not recommend SHA1 at all because soon or later everybody will be using PHP 7.

  6. Re: This is wrong and misleading   Reply   Report abuse  
Picture of Scott Arciszewski Scott Arciszewski - 2015-12-23 16:10:48 - In reply to message 4 from Atif Shahab Qureshi
> It means that SHA1 is the least preferred choice.

NO! Saying "SHA1 is the least preeferred choice" is the same as saying "SHA1 is somewhere on the list (specifically the bottom) of acceptable choices". It isn't.

> What i meant was passwords should always be validated using encrypting functions.

NO! https://paragonie.com/blog/2015/08/you-wouldnt-base64-a-password-cryptography-decoded

Hashing is not encryption.

  7. Re: This is wrong and misleading   Reply   Report abuse  
Picture of Atif Shahab Qureshi Atif Shahab Qureshi - 2016-03-02 18:55:27 - In reply to message 6 from Scott Arciszewski
There are various encryption techniques. What we do by hashing is actually encryption. So i am not getting your point "Hashing is not encryption"