Skip to content
geeksforgeeks
  • Tutorials
    • Python
    • Java
    • Data Structures & Algorithms
    • ML & Data Science
    • Interview Corner
    • Programming Languages
    • Web Development
    • CS Subjects
    • DevOps And Linux
    • School Learning
    • Practice Coding Problems
  • Courses
    • DSA to Development
    • Get IBM Certification
    • Newly Launched!
      • Master Django Framework
      • Become AWS Certified
    • For Working Professionals
      • Interview 101: DSA & System Design
      • Data Science Training Program
      • JAVA Backend Development (Live)
      • DevOps Engineering (LIVE)
      • Data Structures & Algorithms in Python
    • For Students
      • Placement Preparation Course
      • Data Science (Live)
      • Data Structure & Algorithm-Self Paced (C++/JAVA)
      • Master Competitive Programming (Live)
      • Full Stack Development with React & Node JS (Live)
    • Full Stack Development
    • Data Science Program
    • All Courses
  • DSA
  • Practice Problems
  • C
  • C++
  • Java
  • Python
  • JavaScript
  • Data Science
  • Machine Learning
  • Courses
  • Linux
  • DevOps
  • SQL
  • Web Development
  • System Design
  • Aptitude
  • GfG Premium
Open In App
Next Article:
Passwords and Cryptographic hash function
Next article icon

Passwords and Cryptographic hash function

Last Updated : 29 Sep, 2022
Comments
Improve
Suggest changes
Like Article
Like
Report

We have introduced and discussed importance of hashed passwords. To create strong hashed passwords, we must understand some terminology related to it and then we will see how to create strong salted hash password by example in PHP. What is Cryptographic hash function? A cryptographic hash function is a special class of hash function that has certain properties which make it suitable for use in cryptography. It is a mathematical algorithm that maps data of arbitrary size to a bit string of a fixed size (a hash function) which is designed to also be a one-way function, that is, a function which is infeasible to invert (Source : Wiki). If you've ever looked at login codes, the chances are you've seen developers using hash('sha256', $password), or even md5($password) to "secure" user passwords. Passwords hashes generated this way are laughably easy to cracks; with weak algorithms and no salting or stretching in places you're almost giving your passwords to an attacker who gains access.

  • MD5 was initially designed to be used as a cryptographic hash function, it has been found to suffer from extensive vulnerabilities (Source Wiki).
  • SHA-1 is no longer considered secure against well-funded opponents. In 2005, cryptanalysts found attacks on SHA-1 suggesting that the algorithm might not be secure enough for ongoing use [Source : Wiki].
  • SHA-2, not often used for now, is the successor of SHA1 and gathered 4 kinds of hash functions: SHA224, SHA256, SHA384 and SHA512. It works the same way than SHA1 but is stronger and generate a longer hash.
  • BlowFish is a symmetric-key block cipher, included in a large number of cipher suites and encryption products. Blowfish provides a good encryption rate in software and no effective cryptanalysis of it has been found to date.

What is Salting? A salt is a random data that is used as an additional input to a one-way function that "hashes" a password or passphrase. To salt a password we add a few random characters to it before hashing so that the same password will results in a unique string each time it is hashed, negating rainbow table attack and making it necessary to crack each password individually. Salts are usually stored alongside the hash and must be used when checking password against the hashes. The password_hash() in PHP function salts, stretch, and by default chooses the best hashing algorithms to use at the time of execution, meaning that we never have to worry about choosing an algorithm, or even updating our code to use to stronger algorithm as time moves on – if a better algorithm becomes available, the function will start using it for new hashes. Here’s an example of how to use this function: 

PHP 
<?php // PASSWORD_DEFAULT is a constant designed to change  // over time as new and stronger algorithms are  // added to PHP.  // 'ub3rs3cur3' is password to be hashed. // http://php.net/manual/en/function.password-hash.php $hash = password_hash('ub3rs3cur3', PASSWORD_DEFAULT);  // password_verify() verifies that a password matches a hash // http://php.net/manual/en/function.password-verify.php echo password_verify('ub3rs3cur3', $hash)? 'Correct password!'                                          : 'Incorrect password!'; ?>

Hashes start with algorithms information, costs, and 22 alphanumeric salt characters, followed by the hashed password:

$2y$10$Ka3/TxAu3UrGX4E8suGkKO4V43dK9CcF.BTT5P8OzOO7/PRjqFn0a  $2y$10$6kf8iQDut0i7AOx2TULi1O9I5yxdSfX/T7HRy2KbMmliaYo4fLR.i  $2y$10$fPEY1vxgP15wwpfPdA22WOhkMqvmLsZtfzn9sr3rCw2V4N1tbEyle  $2y$10$878u5R1q8tP3karLHwBbAOfax8ybPt43U3F6lG9oOV5w9yfj/k1cq

That’s all it takes to generate and verify a reasonably secure passwords in PHP. At the time of writing, Blowfish is the default best algorithm and a 60-character hash is generated, however as the PHP manual page note(References), creating a password databases field with a length of 255 characters may not be a bad idea to allow for future algorithmic expansions for secure coding. Sources : https://en.wikipedia.org/wiki/Salt_(cryptography) http://php.net/manual/en/function.password-hash.phphttp://stackoverflow.com/questions/30279321/how-to-use-password-hashhttps://en.wikipedia.org/wiki/Cryptographic_hash_function https://www.sitepoint.com/hashing-passwords-php-5-5-password-hashing-api/


Next Article
Passwords and Cryptographic hash function

K

kartik
Improve
Article Tags :
  • Ethical Hacking
  • secure-coding
  • cryptography

Similar Reads

    Password Entropy in Cryptography
    Password Entropy is the measure of password strength or how strong the given password is. It is a measure of effectiveness of a password against guessing or brute-force attacks. It decides whether the entered password is common and easily crack-able or not. It is calculated by knowing character set
    3 min read
    Cryptography and its Types
    Cryptography is a technique of securing information and communications using codes to ensure confidentiality, integrity and authentication. Thus, preventing unauthorized access to information. The prefix "crypt" means "hidden" and the suffix "graphy" means "writing". In Cryptography, the techniques
    8 min read
    Passwords | Entropy and Cracking
    While navigating the internet we are asked for our login credentials at almost every website we use regularly. One of the most important login credential is our password or shall I say passwords since we have different passwords for different accounts (if you have just realized that you don't have d
    7 min read
    Encryption vs Digest in Cryptography
    Encryption and Digest algorithms are used prominently in cryptography to protect the information which is always in high demand. Both are used as protection for data, however, their roles and capabilities of use are quite varied. Encryption replaces the normal or readable form of information (plaint
    6 min read
    A Cryptographic Introduction to Hashing and Hash Collisions
    What is hashing?Hashing is the process of converting any kind of data (usually passwords or installer files) into a fixed-length string. There are multiple types of hashes, but for this article, we will look only at the MD5 hash. MD5 is an example of a hashing method. For example, the MD5 hash of "h
    5 min read
geeksforgeeks-footer-logo
Corporate & Communications Address:
A-143, 7th Floor, Sovereign Corporate Tower, Sector- 136, Noida, Uttar Pradesh (201305)
Registered Address:
K 061, Tower K, Gulshan Vivante Apartment, Sector 137, Noida, Gautam Buddh Nagar, Uttar Pradesh, 201305
GFG App on Play Store GFG App on App Store
Advertise with us
  • Company
  • About Us
  • Legal
  • Privacy Policy
  • In Media
  • Contact Us
  • Advertise with us
  • GFG Corporate Solution
  • Placement Training Program
  • Languages
  • Python
  • Java
  • C++
  • PHP
  • GoLang
  • SQL
  • R Language
  • Android Tutorial
  • Tutorials Archive
  • DSA
  • Data Structures
  • Algorithms
  • DSA for Beginners
  • Basic DSA Problems
  • DSA Roadmap
  • Top 100 DSA Interview Problems
  • DSA Roadmap by Sandeep Jain
  • All Cheat Sheets
  • Data Science & ML
  • Data Science With Python
  • Data Science For Beginner
  • Machine Learning
  • ML Maths
  • Data Visualisation
  • Pandas
  • NumPy
  • NLP
  • Deep Learning
  • Web Technologies
  • HTML
  • CSS
  • JavaScript
  • TypeScript
  • ReactJS
  • NextJS
  • Bootstrap
  • Web Design
  • Python Tutorial
  • Python Programming Examples
  • Python Projects
  • Python Tkinter
  • Python Web Scraping
  • OpenCV Tutorial
  • Python Interview Question
  • Django
  • Computer Science
  • Operating Systems
  • Computer Network
  • Database Management System
  • Software Engineering
  • Digital Logic Design
  • Engineering Maths
  • Software Development
  • Software Testing
  • DevOps
  • Git
  • Linux
  • AWS
  • Docker
  • Kubernetes
  • Azure
  • GCP
  • DevOps Roadmap
  • System Design
  • High Level Design
  • Low Level Design
  • UML Diagrams
  • Interview Guide
  • Design Patterns
  • OOAD
  • System Design Bootcamp
  • Interview Questions
  • Inteview Preparation
  • Competitive Programming
  • Top DS or Algo for CP
  • Company-Wise Recruitment Process
  • Company-Wise Preparation
  • Aptitude Preparation
  • Puzzles
  • School Subjects
  • Mathematics
  • Physics
  • Chemistry
  • Biology
  • Social Science
  • English Grammar
  • Commerce
  • World GK
  • GeeksforGeeks Videos
  • DSA
  • Python
  • Java
  • C++
  • Web Development
  • Data Science
  • CS Subjects
@GeeksforGeeks, Sanchhaya Education Private Limited, All rights reserved
We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox
Improvement
Suggest Changes
Help us improve. Share your suggestions to enhance the article. Contribute your expertise and make a difference in the GeeksforGeeks portal.
geeksforgeeks-suggest-icon
Create Improvement
Enhance the article with your expertise. Contribute to the GeeksforGeeks community and help create better learning resources for all.
geeksforgeeks-improvement-icon
Suggest Changes
min 4 words, max Words Limit:1000

Thank You!

Your suggestions are valuable to us.

What kind of Experience do you want to share?

Interview Experiences
Admission Experiences
Career Journeys
Work Experiences
Campus Experiences
Competitive Exam Experiences