How Secure is Salted MD5 Compared to Other Password Hashing Methods?

Storing Passwords Securely

Question: How secure is storing passwords using MD5 with a salt compared to plain MD5?

Answer:

Ensuring secure password storage is paramount for data security. While salted MD5 is more secure than plain MD5, it falls short of recommended best practices. Implementing a standard library for password storage is the most effective solution.

Upgrading to PHP's Password API

PHP 5.5.0 introduced a simplified password hashing API that simplifies secure password storage:

$hash = password_hash($_POST['password'], PASSWORD_DEFAULT, ['cost' => 12]);
$checked = password_verify($_POST['password'], $hash);

Enhancing Security with Pepper

For additional security, adding a "pepper" to (automatically) salted password hashes is recommended:

use Netsilik/Lib/PepperedPasswords;
$pepper = hex2bin('012345679ABCDEF012345679ABCDEF012345679ABCDEF012345679ABCDEF');
$hasher = new PepperedPasswords($pepper);
$hash = $hasher->hash($_POST['password']);
$checked = $hasher->verify($_POST['password'], $hash);

Legacy Standard Library: phpass

For PHP versions prior to 5.5.0, use phpass:

require('PasswordHash.php');
$pwdHasher = new PasswordHash(8, FALSE);
$hash = $pwdHasher->HashPassword($password);
$checked = $pwdHasher->CheckPassword($password, $hash);

Additional Considerations:

• Avoid using MD5 or SHA1 for password hashing.
• Use PHP's bcrypt implementation, CRYPT_BLOWFISH.
• Consult Jeffrey Friedl's "You're Probably Storing Passwords Incorrectly" blog post for further insights.

The above is the detailed content of How Secure is Salted MD5 Compared to Other Password Hashing Methods?. For more information, please follow other related articles on the PHP Chinese website!