+ 3
Is it good idea to store passwords in database using md5? what are different methods to secure my database?
3 Respostas
+ 2
you can use md5,sha 1, sha256 and sha512. This are the encryption that i use.
+ 2
Storing hashed passwords in databases is a security practice, that way even if the database gets compromised the adversary wouldn't get plaintext passwords.
Not saying that hashed passwords are best solution but it does add one layer of security.
So even if the adversary gets hands on hashed passwords he/she will have to crack it, meaning reverse the hash into plaintext (we don't exactly reverse the hash because hash functions are irreversible instead we crack it).
Cryptographic hash functions (md4, md5, sha1, sha224, sha256, sha384, sha512, ripened... these are just the popular ones) are one way functions.
Meaning they are irreversible. Well, they aren't actually irreversible but what we mean is that computing the reverse of a hash is computationally infeasible.
That is given 'x' computing H(x) should be fairly simple and fast but given H(x) computing value of 'x' should be hard and time consuming (like say days or months or years).
Also hash functions are or should be collision resistant, meaning no two inputs can generate the same output.
That is given two inputs, 'x' and 'y', H(x) can not be equal to H(y).
Summing up: 2 main properties of hash functions are:
1) They are irreversible
2) They are collision resistant
One more thing to speak of is cryptographic salts. They add complexity to your password. They're just random characters you could prepend/append to plaintext before passing it to the hash function.
This way even if two people had the same password their hashes will not be same.
As of which one to use, I would recommend using SHA256.
0
In PHP, I recommend using password_hash() and password_verify() functions which provide safe hashing algorithms out of the box.