Articles PHP sha256-hashing

Published on October 22, 2011

Password encryption using sha256 and salts

When storing passwords in a database it is good practice to store only the hash encrypted 64 digit hexadecimal string so the actual passwords are never potentially viewed by malicious viewers.

sha256 password hashing requires a varchar(64) password field on your users table. This will be inserted into the database as a 64 digit hexadecimal string. We will also be using a varchar(3) salt field as well as the int(11) id field and varchar(30) username fields. The use of sha256 hashing AND the salt gives use double protection.

The registration.php script should contain something similar to:

$hash = hash('sha256', $pass1);

function createSalt()
{
    $string = md5(uniqid(rand(), true));
    return substr($string, 0, 3);
}

$salt = createSalt();
$hash = hash('sha256', $salt . $hash);$hash = hash('sha256', $pass1);

function createSalt()
{
    $string = md5(uniqid(rand(), true));
    return substr($string, 0, 3);
}

$salt = createSalt();
$hash = hash('sha256', $salt . $hash);

Your log-in form then checks the database using something similar to:

$userData = mysql_fetch_array($result, MYSQL_ASSOC);

$hash = hash('sha256', $userData['salt'] . hash('sha256', $password) );
if($hash != $userData['password']) //incorrect password
{
    header('Location: login-form.php');
        echo "No such password exists";
        die();

}
else
{
    validateUser(); //sets the session data for this user

}

More on brute force to come.

Read other PHP posts

All works by Daniel C. Byrd of variablevisions.com