:
What is password hashing?
This is the process of preventing clear text storage of passwords in our database by encrypting passwords before being stored in the database. Depending on the method you choose to hash or salt passwords, hacking your database becomes less achievable.


There are different methods in different languages for hashing passwords. In this tutorial I will only show how to do this using the bcrypt algorithm and CRYPT_BLOWFISH to produce the hash.
Good news is that our hash will be crypt() compatible. Safe right? Not md-5 or SHA-1 (I think Facebook uses SHA-2 )

Let me grab a quick coffee before diving into this.

Waiting

Waiting for lecturer!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

.

Oops, seems like coffee got me down all day, maybe I meant I was going to do some coffee scripting. Anyways, let's dive right in.

password_hash() uses a one way hashing algorithm to create a new password hash and because of it's crypt() compatibility crypt() password hashes can be used with password_hash()

Example 1:

<?php>
  echo password_hash("DanielTheGeek" , PASSWORD_DEFAULT) . "\n";  .   //DanielTheGeek can be replaced with a variable
</php>

This will produce a 60 character result because it is bcrypt()

Your echoed output when run should produce a set of jargons not more than 60 characters.

Example 2:

<?php> 
$hash_options [
      'cost' => 14,
];

echo password_hash ("DanielTheGeek", PASSWORD_BCRYPT, $hash_options)
."\n";
?>

You'll still get some jargons show up when you run that, we just increased the default cost for bcrypt() to 14

Example 3;
Time to add salt to the meal

I don't advice people to use a static salt but a randomly generated one due to possible security breaches. I know big firms in our country that use static salting and have not been hacked probably because people didn't notice. I won't mention names here.

<?php
   $hash_options = [
    'cost' => 13,
    'salt' => mcrypt_create_iv(20, MCRYPT_DEV-URANDOM),
];

echo ("nnamdiosu", PASSWORD_BCRYPT, $hash_options)
."\n" ;
?>

Note: I discovered a nairaland glitch while trying to post this, using my name all through displayed some numbers in my screen repeatedly, I had to change it to nnamdiosu. Try this on your side and give me feedback. This could be dangerous if it is what I think it is.

Try this out while I take another hopefully short break.
Cheers

DanielTheGeek:
Oops, seems like coffee got me down all day, maybe I meant I was going to do some coffee scripting. Anyways, let's dive right in.

password_hash() uses a one way hashing algorithm to create a new password hash and because of it's crypt() compatibility crypt() password hashes can be used with password_hash()

Example 1:

<?php>
  echo password_hash("DanielTheGeek" , PASSWORD_DEFAULT) . "\n";  .   //DanielTheGeek can be replaced with a variable
</php>

This will produce a 60 character result because it is bcrypt()

Your echoed output when run should produce a set of jargons not more than 60 characters.

Example 2:

<?php> 
$hash_options [
      'cost' => 14,
];

echo password_hash ("DanielTheGeek", PASSWORD_BCRYPT, $hash_options)
."\n";
?>

You'll still get some jargons show up when you run that, we just increased the default cost for bcrypt() to 14

Example 3;
Time to add salt to the meal

I don't advice people to use a static salt but a randomly generated one due to possible security breaches. I know big firms in our country that use static salting and have not been hacked probably because people didn't notice. I won't mention names here.

<?php
   $hash_options = [
    'cost' => 13,
    'salt' => mcrypt_create_iv(20, MCRYPT_DEV-URANDOM),
];

echo ("nnamdiosu", PASSWORD_BCRYPT, $hash_options)
."\n" ;
?>

Note: I discovered a nairaland glitch while trying to post this, using my name all through displayed some numbers in my screen repeatedly, I had to change it to nnamdiosu. Try this on your side and give me feedback. This could be dangerous if it is what I think it is.

Try this out while I take another hopefully short break.
Cheers

wait o. bros pardon me. I felt md5 is one of the best way to encrypt passwords? also that glitch wen using ur name for the crypting.....was the hash now a constant character or was it random each time u tried it?

Nice thread, spreads mat

nnamdiosu:



wait o. bros pardon me. I felt md5 is one of the best way to encrypt passwords? also that glitch wen using ur name for the crypting.....was the hash now a constant character or was it random each time u tried it?

Wow, MD5 is just fast..which has made it the focus point of hackers, besides it is somewhat basic. The presence of senior brothers like crypt() and SHA-2 have made MD5 insecure.

The glitch produced constant characters each time I tried to comment with a fixed length. I want to know if it happened to you too, if it's what I'm thinking then it's a big glitch and a danger too.

Note: I am not an expert in cryptography, I just read a lot.

Sorry for that, I was testing something....

Keep up the good work dude.

donjayzi:
Keep up the good work dude.

Thank you for that.

Read more on password hashing at https://crackstation.net/hashing-security.htm#attacks

432410570

That's the number set I got

Thanks again for this bro

Hey OP, I use fernet. Is it as good as bcrypt?