3

I've been working on a site that requires users to login. It's written in PHP with MySQL, and passwords are stored as Whirlpool hashes with a salt (source code later).

However, security sites or fellow developers have advised against this (actually, SHA-256, but the point remains) and have recommended bcrypt or PBKDF2. I'm not sure of the advantages of using one of these or why the current one is wrong. Does anybody mind explaining their reasoning?

Here's my code to register:

$escusrnm = $con->real_escape_string($_POST["usrnm"]);
$newSalt = substr(str_shuffle(abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ),0, 1) . substr(str_shuffle(aBcEeFgHiJkLmNoPqRstUvWxYz0123456789),0, 31);
$passHashed = hash("whirlpool", $_POST["pss"].$newSalt);
$con->query("INSERT INTO users (username, pass, hash) VALUES ('{$escusrnm}', '{$passHashed}', '{$newSalt}')");
$_SESSION["usernm"] = $_POST["usrnm"];

Here's my login code:

$escusrnm = $con->real_escape_string($_POST["usrnm"]);
$getdats = $con->query("SELECT * FROM users WHERE username='{$escusrnm}'");
if (mysqli_num_rows($getdats) > 0) {
    $getdats = $getdats->fetch_assoc();
    if(hash("whirlpool", $_POST["pss"].($getdats["hash"])) == $getdats["pass"]) {
        $_SESSION["usernm"] = $getdats["username"];
    } else {
        $errormsg = "There was an error. Check your information again, or register.";
    }
} else {
    $errormsg = "There was an error. Check your information again, or register.";
}
cjfaure
  • 133
  • 6

1 Answers1

2

I'm not sure of the advantages of using one of these or why the current one is wrong. Does anybody mind explaining their reasoning?

Bcrypt CAN BE stronger than whirlpool, it depends on your strength setting. This is one of the most important advantages about bcrypt, that you can increase the strength as computers get more powerful, plus it's extremely difficult to crack using a GPU compared to simple SHA/Whirlpool hashes.

Since PHP 5.5, we've had bcrypt available as easy to use functions. To create a hash you would use password_hash($pass), you don't need to worry about salts because one is automatically generated and placed inside of the hash, because of this you need to use password_verify($pass, $hash) to check a hash, as generating a hash will use a different salt every time (and your strength settings could change).

There is almost no reason not to use this for a new application, as it's proven to be much much more secure than standard hashing algorithms. If you're on a version of PHP older than 5.5 there are a variety of libraries available to assist with this, most commonly ircmaxell's password_compat.

Someguy123
  • 206
  • 1
  • 3