hash - Is this a bad practice for storing passwords in PHP? -


i'm using crypt function in php hash passwords, along salt obviously. i'm generating salt calling md5 function on date function. , every time user logs in salt gets regenerated.

is of bad in way? still relatively new php (and webdev) , i'm trying security right before deploy code.

$salt = md5(date('m/d/y h:i:s a')); 

it considered bad practice many. here (some of) reasons:

  1. you using md5, weak, old, , fast calculate hash.
  2. the salt generated in predictable fashion. salt should different every user (even if registered in same second) , should more random date.
  3. you reinventing wheel. using crypt function hash passwords, there no reason not use getting secure salt. password_hash() built in function of php 5.5, , compatibility library versions older that.

how use password_hash()

tl;dr: use password_hash() generate salt , hash password, no need reinvent wheel in less secure fashion.

credit given hobo sapiens mentioning password_hash() first.


Comments

Popular posts from this blog

twig - Using Twigbridge in a Laravel 5.1 Package -

jdbc - Not able to establish database connection in eclipse -

Kivy: Swiping (Carousel & ScreenManager) -