Do not use MD5 to hash user passwords! Do not use SHA-x! Yeah, but why? I'll show you, donut worry. We'll talk about password cracking, what are the speeds, how passwords are cracked on GPUs, and of course how to defend against cracking. As an example, I'll use a recent data leak where 750k plaintext passwords have surfaced from a site that supposedly used MD5. We'll also explain what a salt is and what it's not, and that it's not there to prevent cracking, and that's fine. Eventually, I'll explain what slow hashes like bcrypt or Argon2 are and how to use them in PHP. Let's get cracking!


Comments are closed.

"Cracking passwords is cheap. Thank you cloud"... Great examples with topic that is forever present

An inspiring talk with lots of statistics/numbers showing why you should use password_hash and not SHA1/MD5 for your password hashing.

Miro Svrtan at 10:21 on 30 Oct 2018

Interesting topic, speaker was fun to watch. It was visible speaker was nervous at times, try to relax (I know, it's easier said then done)

For 5*: speaker should be a bit better prepared, there were more than few occasions where he went back, got lost or couldnt remember facts he was trying to point on..

Good reminder of how we should store password hashes and why it's so important to do it right. I didn't know about ”password_needs_rehash” and have implemented it right after the conference. Thank you!

Karol Kreft at 22:05 on 5 Nov 2018

A good example of how to make a very interesting talk for PHP conference by using so broad topic and just a few PHP references. Even if you already knew everything about the security improvements brought in the PHP7.2 this talk kept you curious due to examples and narration created by Michal.