Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

just started researching on the latest PHP encryption methods, I\'ve found out m

ID: 657011 • Letter: J

Question

just started researching on the latest PHP encryption methods, I've found out my favorite algorithms are compromised. MD5 is no good, SHA-1 has "found flaws", SHA-512 isn't "meant for passwords", these are all from various StackOverflow sites.

HMAC as of 2011 had "no known attacks", and PHP's password_hash is a new addition that uses a "strong one-way algorithm".

I have heard good things about HMAC + MD5, though it has been suggested it would be best to use an algorithm that has yet to be compromised. I see bcrypt is an add-on, there is the native crypt() and now mcrypt? But password_hash handles all of these?

To me, it's all starting to sound like a deadly game of what sounds best. Can someone with adequate knowledge on the subject answer: Which PHP encrpytion method(s) compatible with password authentication are currently most secure and have no known vulnerabilities? In other words which method produces the hash that is least likely to be maliciously generated? Does any native PHP functionality make the list?

Explanation / Answer

The nice thing about PHP's password_hash() and password_verify() functions is that they are designed with the future in mind, but they are also designed to be backward compatible.

The hashing algorithm that password_hash() uses to create a hash is stored in the output produced by password_hash(), and this is how password_verify() knows which algorithm to use to verify a given password against a given hash.

As newer/stronger hashing algorithms are invented in the future, these will be incorporated in the password_hash() and password_verify() functions in future versons of PHP. But, because the hashing algorithm is stored in the output of password_hash(), this pair of functions will always be backward compatible. In other words, a hash created today using password_hash() will be possible to verify years from now using password_verify() in a future version of PHP, even if the algorithm used to create the hash today is obsolete by that time.

So, if you use password_hash() and password_verify(), you will always have the benefit of the latest hashing algorithms available at the present time, and you will always be able to verify hashes created using these algorithms in the future, even if those algorithms become deprecated by that time.

Related Questions

just need help with questions 2 and 3 CASE STUDIES Rapid-Lube A huge market exis
Question #389855
just need help with stockholders equity section please 6 1.00 points The followi
Question #2328233
just need help with the wrong areas Exercise 3-16 Effect of sales returns and al
Question #2410210
just need help with these two The Alpine House, Inc., is a large retailer of sno
Question #2330852
just need help with these wR§TING NET.IONIC EQUk Name The following reactions re
Question #890843
just need help with this with a little bit of explanation On December 31, 2013,
Question #2588366
just need ionic + net ionic equations Add a drop or two of the phenolphthalein i
Question #543398
just need ionic and net ionic equations Le following reactions you are asked to
Question #543393

Navigate

Previous
just some true and false questions. 11. with an electric field in the x-directio
Next
just starting learn how to program in loop, my professor give us those homework

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.