password-hash

Possible Duplicate: What is the optimal length for user password salt? I have a database like below: create table user (id int primary key auto increment, username varchar(64), password varchar(128), # sha512 hash of password password_salt varchar(128) # sha512 hash of a random number used as salt ) Is this a good idea for ensuring password security with a salt? How long should a salt be? I assume that it can't hurt to have a 128bit (SHA-512) salt, but I've been wrong before. Bill Karwin I have several comments: Salts should be random and unique per user, but they don't have to be a hash

How come the documentation states that password_hash can return either a string or value false, but the following line of code returns NULL? $password = password_hash($password1, PASSWORD_BDCRYPT, array( 'cost' => 10 )); v010dya Despite the fact that it is not documented, the function does return NULL when one provides an incorrect value for algorithm. Currently supported constants are: PASSWORD_BCRYPT PASSWORD_DEFAULT And a typo in this case ( PASSWORD_BDCRYPT rather than PASSWORD_BCRYPT ) results in the value of NULL being passed, that in turn causes the same value as the return. Edit: Any

Code: echo password_hash("stackoverflow", PASSWORD_DEFAULT, ['salt' => 'twenty-one-characters'] ); Result: Warning: password_hash(): Provided salt is too short: 21 expecting 22 code: echo password_hash("stackoverflow", PASSWORD_DEFAULT, ['salt' => 'twenty-one-charactersA'] ); Result: $2y$10$dHdlbnR5LW9uZS1jaGFyYOVyX13hK9eb4/KXMAkHsAJX..YR7t/32 code: echo password_hash("stackoverflow", PASSWORD_DEFAULT, ['salt' => 'twenty-one-charactersB'] ); $2y$10$dHdlbnR5LW9uZS1jaGFyYOVyX13hK9eb4/KXMAkHsAJX..YR7t/32 Question: As you see, by appending A and B to 21 character strings we created two different

I have tried for days to get bcrypt installed on my windows machine with no luck. One of the dependencies (Windows 7 SDK) does not want to be installed even though I have tried numerous suggestions from around the net it just refuses to cooperate. I need a good alternative to bcrypt which does not have any dependencies. Check out https://npmjs.org/package/bcryptjs , it's fully compatible with bcrypt just without the dependencies. Or https://npmjs.org/package/simplecrypt if you don't want the crypto boilerplate and just need to encrypt and decrypt strings. If someone faces similar issue, you

I am currently learning PHP and I have been looking through the forum for current thinking on how best to Hash passwords in PHP. Can anyone advise on what is currently the best password hashing method to use. I have been told about PHPass, but are there better alternatives in 2017? Thank you for any advice, Ian Jay Blanchard You should never encrypt passwords, you should only hash them. Encryption implies that you can decrypt the password into a human readable form. You should never do that. Hashing is a one way street and once hashed a password cannot be recovered in human readable form.

Well, I have always seen (and following) people saying to use hashing mechanism for storing passwords in database. I am really concerned is it secure? Lets go with example. Let's say I am hacker and I got your database name, id and password. Now I have FULL access to your database. What people say passwords should be hashed because if someone hacks, they are visible to hackers. so If I run query as select id, password FROM userDetails I will get data as below Option 1 : Without hash ++++++++++++++++++++++++++++ + id + password + ++++++++++++++++++++++++++++ + id01 + password01 + + id02 +