Is this a bad practice for storing passwords in PHP?

118 views Asked by At

I'm using the crypt function in PHP to hash passwords, along with salt obviously. But I'm generating my salt by calling the md5 function over the date function. And every time the user logs in the salt gets regenerated.

Is any of this bad in any way? I am still relatively new to PHP (and webdev) and I'm trying to get my security right before I deploy this code.

$salt = md5(date('m/d/Y h:i:s a'));
1

There are 1 answers

0
p1xel On BEST ANSWER

It is considered bad practice by many. Here are (some of) the reasons:

  1. You are using md5, a weak, old, and fast to calculate hash.
  2. The salt is generated in a predictable fashion. The salt should be different for every user (even if registered in the same second) and should be more random than the date.
  3. You are reinventing the wheel. You are using the crypt function to hash the passwords, so there is no reason to not use that for getting a secure salt. password_hash() is a built in function of PHP 5.5, and a compatibility library for versions slightly older than that.

How to use password_hash()

TL;DR: use password_hash() to generate the salt AND hash the password, no need to reinvent the wheel in a less secure fashion.

Credit to be given to Hobo Sapiens for mentioning password_hash() first.