How To Safely Hash A Password

If you’re not using bcrypt get with it or be vulnerable

 

Coda Hale writes:

Use bcrypt.

Why Not {MD5, SHA1, SHA256, SHA512, SHA-3, etc}?

These are all general purpose hash functions, designed to calculate a digest of huge amounts of data in as short a time as possible. This means that they are fantastic for ensuring the integrity of data and utterly rubbish for storing passwords.

A modern server can calculate the MD5 hash of about 330MB every second. If your users have passwords which are lowercase, alphanumeric, and 6 characters long, you can try every single possible password of that size in around 40 seconds.

For PHP 5.5, use password_hash(). For PHP 5.3.7 through PHP 5.4.x use the password_compat polyfill on GitHub.

Read the full article at codahale.com