By applying a hashing algorithm to your user’s passwords before storing them in your database, you make it impossible for an attacker to determine the original password, while still being able to compare the resulting hash to the original password in the future. A cryptographic salt is a data that is applied during the hashing process in order to eliminate the possibility of the output being looked up in a list of pre-calculated pairs of hashes and their input. Essentially, PHP salts and hashes are cryptographic tools that help secure your site’s login.
Related Guide – Comprehensive guide on PHP Security
Why You Should Hash Passwords
Password hashing is one of the most basic security practices that must be followed when you plan to accept passwords. Without hashing, any passwords stored in your database can be stolen if the database is compromised, and then they can immediately be used to compromise not only your application but also the accounts of your users on other services if they use the same password elsewhere.
However, it is still important to secure your website in other ways, as hashing only protects passwords from being compromised in your database, but does not necessarily protect them from being intercepted by malware or hackers.
Related Guide – PHP Security Issues
How You Should Hash Passwords
It is advisable to use either of the following two methods to hash your passwords:
- The native password hashing API provided by PHP 5.5 or the pure PHP compatibility library available for PHP 5.3.7 and later. The native password hashing API available in PHP 5.5 safely handles both hashing and verifying passwords securely.
- Using the crypt() function, as it supports several hashing algorithms in PHP 5.3 and later. It is suggested to use the Blowfish algorithm – which is the default option – as opposed to common hashing functions. This is because common hashing functions such as md5() and sha1() are very easy to brute-force and will not hold up well. It is, therefore, advised to use hashing functions that are very difficult to reverse, like the options given above, so that the original password is harder to determine.
Note: It is strongly recommended that you use the native password hashing API with the crypt() function in order to prevent timing attacks automatically.
How You Should Make And Store Salts
In the most basic terms, a salt is a bit of random data added to the end of a password to make your hash function difficult to reverse, thus protecting the password. While there are a lot of salt generators available online, you can use password_hash() to create a random salt – this is the easiest approach.
The return value of your chosen hashing method includes the salt as part of the generated hash. This is the value you should store in your database, as it includes information about the hash function that was used and can then be used to match passwords and authenticate login attempts.
Related Guide – PHP Hack & Malware Removal Guide
Conclusion: PHP Salts and Hashes
An encrypted password is more difficult to hack than one that’s not, and by hashing passwords in your PHP site, you make it harder for a hacker to attack you. Cyber attacks are horrible, and so are their after-effects on your traffic, revenue, and even your reputation. So, to prevent getting attacked, it is advisable to invest in security and follow good security practices like using PHP salts and hashes – a little bit on your part can go a long way!
At Astra, we have a team of security experts who on a daily basis help website owners and developers to secure their website from attackers. Our intelligent firewall provides real-time 24×7 security against bad bots, hackers, malware, XSS, SQLi, and 80+ attacks. Astra Firewall is highly tailored for PHP-based websites and CMS such as WordPress, PrestaShop, OpenCart & Magento to give all-around security to your website.