Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.
Start your free trial
Jose Gutiérrez
9,370 Pointsis pasword_hash secure enough? I learned a md5 - salt combination method to secure passwords. Which one should I use?
I learned a method which encrypts the password in the front end with javascript and md5 plus a salt grain (php random number stored in the session ). Its a little bit complicated and I am having problems implementing it in a object oriented MVC . Can I rely in the password_hash function?
2 Answers
andrewgabriel
18,106 PointsAlways use password_hash without providing your own salt. I would suggest using PASSWORD_DEFAULT which will generate a salt on its own. Other algorithms like md5 are pretty quick in generating a hash which in return also means that they can be brute-forced very easily.
$hash = password_hash($password, PASSWORD_DEFAULT);
Jose Gutiérrez
9,370 PointsAndrew thanks for take the time and answer ??. So I use password_hash() and in the database should I store the hashed password?
andrewgabriel
18,106 Points@Jose Gutiérrez Yes you can store the hashed password just like you would if you were using md5. The only advantage here is that you will be using a much more secure and safer route that will protect your users' passwords.