Member Avatar

Hi All,

I'm in the middle of building a new login/registration class and was going to apply a hashing function to the pw and an activation token, when I came across the hash_hmac function.

I've tried finding out more about it, but info is pretty scarce. Could anybody shine some light on this for me? I gleaned this (leaving out the last parameter for now):

echo hash_hmac('sha256', 'the string to be hashed', 'my_secret_key');
echo hash('sha256', 'the string to be hashed' . 'my_secret_key');

Obviously, I'm not expecting the outputs to be the same, but does the first line have an advantage over the second? The third parameter in line 1 is a key, as opposed to a salt. I've used the string as a salt in line 2. Getting a DVT in my amygdala over this :)


My question's not very clear - is hash_hmac better than hash? Would their uses be different?

To my understanding hmac variations are substantially less prone to collisions than the standard hash functions.

I know this is not directly related to your question, but have you considered using bcrypt for your passwords? Assuming your environment is 5.3+

Member Avatar

Thanks ms. Great reply as usual.

I have never used but from what I have read:
HMACs are substantially less affected by collisions than their underlying hashing algorithms alone.
So adding an HMAC to an MD5 hash would make it substantially more difficult to break via a rainbow table.
I believe the only known attack type against hmac hash is brute force.

Member Avatar

THanks, dd. I 'm half way through reading ms's reading list at the moment. My nose isn't quite bleeding but I've got a strong tickle! :)

Member Avatar

Seems I'm gaining a lot of pain!