I am about to create a project, I want to focus a lot on the security that it will have, and well, I am about to develop the login, in general I use Sha-1 to encrypt passwords, I do not know if it is the safest, but so far it is robust unlike MD5.
My question is if I'm okay with Sha1 in terms of security and data encryption in this password case, or is there any other safer hash that I can use?
As I mentioned, I want to focus as much as possible on security in this system, if you know extra information about security or from experiences, it would really help me a lot.
Introduction
We always focus on putting security in our system, but the problem is not to protect it externally, but internally.
Even if we put Chuck Norris to protect the system, if our Database is poorly designed or our SQL statements are poorly structured, the system will be insecure.
So here are some small recommendations:
1) Use PDO instead of mysql / mysqli, you increase security and avoid SQL Injections
Read:
The best PDO guide I've seen: https://phpdelusions.net/pdo
How to protect ourselves from SQL Injection: https://phpdelusions.net/sql_injection
How to avoid SQL injection in PHP?
What is SQL injection and how can I avoid it?
How to prevent SQL injection?: https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php
2) Use SQL statements as a programming language (which it is) and NOT as a simple string.
3) Avoid using GET, and use POST.
Password security :
A programming maxim that I consider important: "ALWAYS distrust the user", for this reason I must avoid giving them keys (used in symmetric and asymmetric encryption methods), or ways to decode the information, a normal user would not do anything, but one knowledgeable or even just curious could wreak havoc.
Read: - Security – Differences Between Symmetric, Asymmetric and Hashing Encryption : http://blog.capacityacademy.com/2013/08/16/seguridad-informatica-cifrado-symmetrico-asimetrico-hashing/
Then what should I do?:
Use a hashing:
In PHP we have several methods, including md5() and sha1(), but the official documentation tells us this:
That is, they can be reversed:
Example:
For more research :
Manual of Passwords in PHP: http://php.net/manual/es/faq.passwords.php
Now what method to use?
Simple, one native to PHP:
password_hash()
.I will leave you a link of a polyfill created for PHP 5.5 of password_hash().
Although since PHP 5.5 this library is included, it
polyfill
has a demo that explains how to use it step by step:PHP 5.5-like password functions for PHP 5.3 and 5.4 :
https://github.com/Antnee/phpPasswordHashingLib
How to use it? :
This will be the password that we will store in the database.
To verify :
We get the password from the DB.
Now we save in a variable the POST of the password entered to enter the system:
We use password_verify(), this will take care of checking if that data corresponds to the hash that we have saved.
PHP will save the
salt
one used to verify the validity of that password, if we have the same data 100 times, example "123456", each hash will have different values.Now, it is recommended that the password field in the database have a length of 255 and also a type
varchar
, since the hash is a combination of letters and numbers.A hash is something like a fingerprint. It is useless for encrypting data as this would mean that there should be some way to recover the original data from the hash, and that is not possible.
The MD5 hash algorithm reduces a block of data to a 128-bit footprint.
The SHA-1 hash algorithm reduces a block of data to a 160-bit footprint.
Initially both should be safe enough if used correctly together with a salt, but the problem is that in both cases ways have been discovered to produce "collision" without having to use brutal force on the total number of bits.
In most algorithms you need a good amount of "free" data to be able to calculate something that generates the collision. In the case of MD5, 128 bytes are needed , so if a password cannot have 128 characters, that algorithm cannot be used to generate a collision.
In the case of SHA-1 there are algorithms that reduce the break to 2^63 .
Introducing a salt greatly reduces the probability of getting a collision .
When it is obviously dangerous to use a HASH that has been shown to be vulnerable, it is to confirm the integrity of a file , for example an executable, since these have many more bytes to be modified to generate the collision.
SHA-2 is currently used with different hash lengths: 256, 384 and 512 bits .
Although it is more difficult to find a collision for larger bit size algorithms, the use of a salt is always recommended.
ALL ALGORITHMS ( try one online ) are vulnerable to rainbow table attacks . There are even rainbow tables with some common forms of salt, but it greatly increases the size of the database.
In short, to store the hash of a password with a few characters (for example 32 or 64 characters) a very secure hash algorithm is not necessary, but a good reinforcement with a good salt.
My recomendation? Either use SHA-2 with salt or leave the job to PHP's password_hash() function which will choose the most secure algorithm and best salt method so far (note that in that case you should keep your PHP version at the same time). day).
The most relevant documentation: