The real weakness is in not using an acceptable password hashing function at all. Using scrypt requires root access and the ability to install PHP extensions via PECL.
bytes comes out to about 573 bits of possible entropy, but a SHA-384 hash outputs are clearly limited to 384 bits).
If you're concerned about security you should have some policy on what constitutes a valid password.
Some common restrictions are: Leaving the last requirement for now, as it requires a server-side script, let's see what's possible using just client-side HTML and Java Script.
The most straightforward approach to migrating your legacy hashes from, e.g.
MD5, to bcrypt/scrypt is to follow this strategy (which was first introduced to us in a Reddit discussion by Neo Thermic): /** * This is example code.
On a technical level, they're vastly different, but for practical purposes they're morally equivalent. Our choice for bcrypt as the default was simply: In PHP (which represents a little over 80% of the Internet), the easiest choice for developers to implement in their applications is bcrypt (via the password hashing API that shipped with PHP 5.5).
It's the least secure of the acceptable password hashing algorithms on this page, so we aren't going to provide any example code.
If the purpose of registration is to confirm that the person exists, and that they have supplied a valid email address, then as part of the registration processe you a should either email them a random password or a confirmation token rather than letting them choose their own password and use it immediately.We're going to show you now how to apply the password tests using a single regular expression.Consider the following: If you are using a supported browser you can use the form below to test the regular expression: If you want to restrict the password to ONLY letters and numbers (no spaces or other characters) then only a slight change is required.Passwords need to be stored encrypted in the database or elsewhere and any backups should also be encrypted.