By DeepSource

Audit required: Use of an insecure hashing function PHP-A1004

a02 cwe-327 sans top 25 owasp top 10 cwe-916

Using md5(), sha1() function is not recommended to generate secure passwords. Due to its fast nature to compute passwords too quickly, these functions can become really easy to crack a password using brute force attack.

It is recommended to use PHP's password hashing function password_hash() to create a secure password hash.

In past it has led to the following vulnerabilities:

It is also found that these functions can be used to generate random string from given data. But doing it is not a secure way to generate a secure random string.

It is recommended to create a random secure string using existing packages like RandomLib or Security Utility. It can help you do things like secure random bytes and strings, hash(using PHP's hash() function) given data with particular salt, encrypt/decrypt the data, etc.

If you do not prefer to add a new dependency into your project, you can use this code snippet from the Stackoverflow to generate a secure string.

Bad practice

// invalid: using md5() to hash the password is not recommended
$password = md5($_GET['password']);
// invalid: using sha1() to hash the password is not recommended
$password = sha1($_GET['password']);


// valid: use function like password_hash to hash the password
$password = password_hash($_GET['password'], PASSWORD_BCRYPT);