By: administrator - Published: 27th December, 2015
Bye Bye MD5!
Welcome Portable PHP Password Hashing!
Effective today, Skyline Grid has graduated from basic md5 password hashing, to bcrypt, for all passwords generated by the core platform, and all connected applications.
Blowfish-based bcrypt hashing is provided by OpenWall's Portable PHP password hashing framework, a public domain framework providing support for password generation (hashing).
What's the difference between MD5 and bcrypt?
Password hashing is the procedure used to store passwords onto a server. For instance, when creating an account on a popular social network, like Facebook, or Twitter, users will type in a password, which they'll use to log in next time.
Passwords are never stored on a server, or anywhere online, so how do these sites know that the password is correct? Password hashing.
When creating an account on a website, the password is never sent as plain text, but it's "hashed", which means, it's taken through a computing algorithm that takes the password apart, and converts it into a long string of apparently random characters.
These characters are then what's sent, and saved on the server.
When attempting to log in with a password, the website will take the newly entered password, and convert it into a hashed string, with the same process as it was sent during registration. At which point, the two hashed strings will be processed together and compared by the system, and if they match, the user will be granted access.
MD5 password hashes don't change, they are always the same when converted, which is why it's a lot easier for a hacker to crack an MD5 hashed password, with proper tools and computational power.
On the other hand, bcrypt is a lot more secure, as each password that is hashed through this method, results in a completely new set of characters, each time it's hashed.
Hashing versus encryption
There seems to be a bit of confusion when it comes to understanding the difference between password encryption, and password hashing. encryption is expected to take place in most situations where it is appropriate, to protect end-to-end communication between two parties. Encryption is used in all forms of protected communication, such as credit card payment processing, encrypted email and messaging, and in government websites.
Encryption has very little to do with passwords, which is why hashing is more secure than encryption, as encryption can be reversed and de-crypted, while hashing is an irreversible process.
Giving credit when credit's due
The guys at Open Wall did one heck of a job providing with a very portable, clean, elegant and efficient package. The Portable PHP password hashing framework, is not only easy to implement, it's also capable of adapting to different servers using different versions of PHP, to make sure that the most secure hashing method is available.
Bye Bye MD5! Welcome Portable PHP Password Hashing!