TheJSB TheJSB - 7 months ago 42
PHP Question

Password hashing: Keccak or not

The winner of

hashing algorithm contest has been chosen. The winner's algorithm is Keccak.

I use Blowfish and really like it, but Keccak is said to be better. Is it worth to use it for storing user's passwords on my website?

If yes, are there any implementations of Keccak for PHP, Python, Ruby or any other languages, used in web programming?

I hope this question will help other people, too. Thanks!


I use Blowfish and really like it, but Keccak is said to be better.

"Better" is such a relative term. Better in what? Security, performance, scalability, portability, ... ?

If you want the greater "security" just for hashing user passwords, then Keccak is probably a not good option. Blowfish will give you better "security" as in it will take longer to brute-force the hash if the hash is ever discovered.

That being said, Keccak is a decent option if you're looking for something to run on embedded architecture, or if you want greater portability. Here is a PHP implementation on github, and here is another You can also make your own language extension by downloading the Keccak source.

But, honestly, it's probably best to stick with what you know. If a hacker can easily get the blowfish hashes you are currently using, then the problem is not the hashing algorithm but the access to the database. Also note that the PHP extension would have to be installed on ALL of the servers using this, which may or may not be possible if you're using a shared host.

In reality you should probably stick with what you have. Chances are it's safe enough, and once the Keccak implementation gets ported to the standard PHP core you can move then (if you need to). Just my two cents.