What is better? Password_hash vs. SHA256 vs. SHA1 vs. md5

Joci93 picture Joci93 · Mar 19, 2015 · Viewed 15.9k times · Source

What is better with salt for password storage?

MD5:

$hash = md5($password . $salt);

Password_hash:

$hash = password_hash($password, PASSWORD_DEFAULT, $salt);

SHA1:

$result = sha1($salt.$string);

Answer

martinstoeckli picture martinstoeckli · Mar 19, 2015

You should absolutely use the password_hash() function without providing your own salt:

$hash = password_hash($password, PASSWORD_DEFAULT);

The function will generate a safe salt on its own. The other algorithms are ways too fast to hash passwords and therefore can be brute-forced too easily (about 8 Giga MD5 per second).