I am trying to hash the password using SHA256 with random salt and random key in php and storing back hash value with salt and key used. I want to know does this provide adequate safety?
The following is code:
function hashpwd($string, $salt, $KEY)
{
if(strcmp($KEY, '')==0)
$KEY=openssl_random_pseudo_bytes(32); //key used for encryption and decryption
if(strcmp($salt, '')==0)
{
$salt= openssl_random_pseudo_bytes(32);
}
$string = $salt.$string;
$pwd = hash_hmac("SHA256", $string, $KEY);
//echo "$salt".$pwd."<br>";
return base64_encode($salt).base64_encode($KEY).$pwd;
}
Should I use double salt?
Note: Running on PC not sure of affording multiple iterations of hashing.
EDIT:
I changed the code to following, used password_hash() with BCRYPT and 5000 rounds:
function hashpwd($password)
{
$salt='';
$strong = FALSE;
while (!$strong){
$salt = openssl_random_pseudo_bytes(32,$strong);
}
$pwd = rtrim(password_hash($password, PASSWORD_BCRYPT, array('rounds'=> 5000, 'salt'=> $salt)));
return $pwd;
}
Is the above code good enough?
I am not questioning the security of BCRYPT, My question was to know which of the two codes was better to use.