Awhile back I had posted on the topic of Securing PHP User Authentication, Login, and Sessions. While the majority of methods for increasing obscurity remain true, the hashing algorithms used have become increasingly insecure. If you have not done so, I highly recommend reading the original article before continuing as it contains additional strategies not mentioned here. There are some inherent security considerations to take into account when using very fast hashing algorithms such as SHA1 or MD5. Modern day, multi-processor computers and GPUs can quickly brute-force passwords that weren’t encrypted with a very slow, secure algorithm. For these reasons, I have taken it upon myself to create a new, informative post on proper implementation of encryption using bcrypt with fallbacks on sha-256/512 with key stretching. At the end of this post you can find some external references as to why you should ditch MD5 and SHA1 in favor of bcrypt.
Secure Encryption Class using bcrypt
Below you will find a class which can easily be migrated to create a more robust and secure login authentication system for your sites. Likewise, it can just as easily be used for one-way encryption
Example Encryption Usage
Below you will find an example of encrypting a string using the SecureHash class.
Example Password Verification
Below you will find an abridged example of verifying a user’s login credentials. The process has some additional steps outside the scope of this post, but they should be covered to give you an idea of how to implement this class fully. After a user enters their email address and password, your system needs to take the user’s email address and perform a database lookup to determine if a user account exists matching the supplied email address. If an account exists, you need to return the user’s encrypted password and salt from the matching database row. With the returned salt, you need to run the encryption over the user supplied password to generate an encrypted password. We use this encrypted password and compare it to the returned encrypted password from the database to check for equality. If the two encrypted passwords are the same, the user supplied the correct password and we can log him in. It’s up to you to implement the database calls and login; it’s only been pseudo-coded in for completeness.
With that being said, please stop using anything other than bcrypt on your sites. You’re putting yourself and your users at risk when you do. Below are some articles of particular interest on why you should be using bcrypt as opposed to others: