Best PHP hash for speed and security

Say I am hashing a password but want something that is not only fast but also secure. md5 and SHA are the popular ones but there is also haval and tiger to name a few. Should a user use a less used hashing method as well?

So what is the ideal hash for speed and security for storing passwords in your eyes?

As with most of these type of posers, it’s all down to the implementation. For instance, hashing the character ‘a’ as a password is easily looked up (via Rainbow Tables). In comparison, hashing say the users supplied password, a user specific value (for instance db id) and system specific (static) value with the same algorithm would be more than sufficient.


<?php
$sql = sprintf(
    "SELECT id FROM user WHERE username = '&#37;s' AND fingerprint = SHA1(CONCAT(id, '%s')",
    $username,
    $this->config->get('super-secret-key') . $this->input->post->get('password')
);
?>

So basically pick one and be sure to put a nice salt in it then? At the PHP manual there is a table of the speed so that should also be taken into consideration right?

Results: (in microseconds)

  1. md4 5307.912
  2. md5 6890.058
  3. crc32b 7298.946
  4. crc32 7561.922
  5. sha1 8886.098
  6. tiger128,3 11054.992
  7. haval192,3 11132.955
  8. haval224,3 11160.135
  9. tiger160,3 11162.996
  10. haval160,3 11242.151
  11. haval256,3 11327.981
  12. tiger192,3 11630.058
  13. haval128,3 11880.874
  14. tiger192,4 14776.945
  15. tiger128,4 14871.12
  16. tiger160,4 14946.937
  17. haval160,4 15661.954
  18. haval192,4 15717.029
  19. haval256,4 15759.944
  20. adler32 15796.184
  21. haval128,4 15887.022
  22. haval224,4 16047.954
  23. ripemd256 16245.126
  24. haval160,5 17818.927
  25. haval128,5 17887.115
  26. haval224,5 18085.002
  27. haval192,5 18135.07
  28. haval256,5 18678.903
  29. sha256 19020.08
  30. ripemd128 20671.844
  31. ripemd160 21853.923
  32. ripemd320 22425.889
  33. sha384 45102.119
  34. sha512 45655.965
  35. gost 57237.148
  36. whirlpool 64682.96
  37. snefru 80352.783
  38. md2 705397.844

IMHO, yes. :cool:

Is a double salt overkill like lets say…


$password = "password";
$salt1 = "gImMIe";
$salt2 = "hASh";
$newpass = hash('tiger192,3', $salt1.$password.$salt2)

Not really… I tend to use a double salt.

As far as performance goes, it doesnt have any effect.

What I would say tho, is its good to have a salt that is specific to the user…

Using you example above, you might want to change it to


$password = "password";
$salt1 = "gImMIe";
$salt2 = $userID; // A user specific var
$newpass = hash('tiger192,3', $salt1.$password.$salt2)

Speed and security are mutually exclusive. The reason that more secure algorithms are slower is because they’re performing more operations to obfuscate the content. Additionally, if your algorithm is implemented correctly, the most effective way to determine the password is brute forcing, which means that the attacker will need to attempt many hashes before finding the correct one; as a result, slower means that each attempt will take more time, thus increasing the total time before determining the password. This is good. I personally prefer to use the Whirlpool algorithm, as the name is easy to remember. I wouldn’t use anything personally which is faster than SHA512.

As for your question about salting: you should actually salt every iteration of your hashing algorithm for maximum security. In psuedo-code:

$i = 0;
$password = "password";
$salt = "salt";

while($i < 50000){
    $password = hashfunc($password + $salt);
    $i++;
}

function hashfunc($tohash){
    return hash($tohash, $algorithm);
}

Disclaimer: It’s Monday morning, and there’s a nagging part of my brain which thinks that there’s an issue with the code I posted, so if anyone can correct me, I’d greatly appreciate it. The fundamental principle should be sound, however.

Off Topic:

:lol:

Indeed, $algorithm is undefined within your hashfunc function. :wink: