• Tutorials

PHP Password Hashing to Prevent Attackers

Security is one the major factors that every programmer or user of web applications that involves communication has to consider. Hacking of systems is a very common phenomenon today and thus programmers are putting various measures in place to prevent attacks from hackers. One of such measures is the use of the password hashing technique. This is a technique that involves encrypting passwords when storing them instead of storing them in the plain text form. It is a mean of secure password storage. It is very important for security as it protects the stored passwords from being read if the database is hacked or accidentally gets into the wrong hands. PHP supports password hashing to prevent attackers from gaining stored passwords from various web applications in case.

In password hashing, the user passwords in plain text are converted into hash codes before storing. A hash code is some kind of digital fingerprint of a piece of data. It is generated using a one-way algorithm. A one-way algorithm implies that it is almost impossible to perform the reverse computation using the result to obtain the original data. Hence with the hash codes it is almost impossible for anyone to obtain the original password text. Thus when passwords are stored as hashes, even if an attacker successfully compromises with part of the system and reveals the list of hash codes, he cannot manage to get the stored password.

Password hashing in PHP

In PHP, password hashing is done using a number of hash algorithms. The main algorithms used for generating a hash of text are MD5, BCRYT and SHA1. These algorithms are efficient and collision rarely occurs. Collision refers to generation of the same hash code for two different texts. Pass wording hashing is performed during user registration. The same algorithm used during user registration is used during user authentication. The MD5 algorithm is implemented with the md5() function as follows:

$password =md5 ($password;

This statement creates an MD5 hash code of the password.

This function generates a 128-bit hash code out of the given password. The SHA1 is implemented in the same way using the sha1() function, and produces a 160-bit hash code. The sha1 function has lower chances of collision occurrence as than the md5 function as it produces more bit hash and the probability of collision occurrence decreases with the increase in bits. Probably you are thinking that hashing the password twice would result into a more secure password. This sounds logical but it does not work. It is something you should not try as it weakens the security of your passwords instead. It makes the hash inefficient and week as it increases the chances of collision.

As PHP has continued to evolve, these algorithms have been found less efficient and more efficient functions producing more bit hash codes are being utilized. Modern PHP is using algorithms from the SHA2 family such as the SHA256 and SHA512 which produce 256 and 512 bits hash respectively for password hashing. The functions result to better hashes with very little chance of collisions occurring. Their functions are implemented in code as follows:

$password =hash (“sha256”, $password); // produces 256-bit hash of the password

$password =hash (“sha512”, $password); // produces 512-bit hash of the password

Authentication of users is done by generation of a hash code of the supplied password each a time the user tries to login and the hash code produced is compared to the hashes already stored in the application database. If the hashes match then the passwords match.

Hashing of the passwords provides a high level security of the stored passwords but it does not fully guarantee the security of the passwords. Considering a case where you may have many similar passwords all the hash codes for the similar passwords will be the same. This implies that if the attacker gets to see the hashes he knows that the passwords are the same. If he manages to get one password of the accounts then he can use it to gain access to other accounts. To avoid such a problem and strengthen the password hashing security, PHP uses a random number while generating the hashes so that hashes produced are not similar even when the passwords are similar. The random number is called a salt and it is different for each password. This is implemented in code as follows:

function GenerateHashWithSalt($password)
{
$intermediateSalt = md5(uniqid(rand(), true));//creates a salt
$salt = substr($intermediateSalt, 0, MAX_LENGTH);
return hash(“sha256”, $password . $salt);
}

The uniqid() is used to create the salt and take the function rand() as argument for generation of the random number. The random number generated should be stored with the password so that it can be used during authentication.

Password hashing is very important for security of stored passwords in any applications. PHP application developers should practice hashing of passwords before storing them in application databases to ensure security. It’s an important security measure as it protects the passwords even if the database is hacked.