I'm currently implementing a login system. I want to store the password and the salt in a database. Now I found out that there is a hash()
and a crypt()
function which seems to do the same (valid for SHA512).
hash()
is newer and seems to support more hashing alogrithms than crypt()
. Or there any other differences I should know/care about?
Edit:
function generatePasswordHash($password){
$salt = base64_encode(mcrypt_create_iv(8));
$calculatedPasswordHash = crypt($password, '$1$' . $salt . '$');
return $calculatedPasswordHash;
}
The result looks like $1$Qh6ByGJ9$zLn3yq62egvmc9D7SzA2u.
Here my password checking function:
function checkLoginData($username, $password){
global $db;
$sql = "SELECT * FROM users WHERE username = :username";
$result = $db->ExecuteQuery($sql, array("username"=>$username));
if(!empty($result)){
$result = $result[0];
$savedPasswordHash = $result['password'];
$splitted = explode("$", $savedPasswordHash);
$salt = $splitted[2];
$calculatedPasswordHash = crypt($password, '$1$' . $salt . '$');
if($savedPasswordHash === $calculatedPasswordHash){
return true;
}
}
return false;
}
Use hash
for hashing, for example in integrity checks. It directly uses the specified hashing algorithm.
crypt
is a special purpose function. It's used for password hashing and key derivation. You'll need to pass in a salt, which indirectly determines the hashing scheme used. Even if you choose CRYPT_SHA512
this isn't plain SHA512. It's a key derivation function that uses SHA512 as building block. In particular such a scheme is deliberately slow(hider brute-force attacks) and combines salt and password in a secure way.
For password hashing in a log system, crypt
is clearly the right choice.