TL;DR
This guide shows you how to securely hash passwords using scrypt. It covers generating a salt, hashing the password, and verifying it later.
What is Scrypt?
Scrypt is a key derivation function designed to be resistant to brute-force attacks. Unlike simpler hashing algorithms like MD5 or SHA256, scrypt requires more computational resources (memory and CPU), making it harder for attackers to crack passwords quickly.
Step 1: Install Required Tools
You’ll need a tool that supports scrypt. Here are some options:
- PHP with the password_hash extension: This is common on web servers.
- Python with the bcrypt library (which often includes scrypt support): Good for scripting and automation.
- Command-line tools like
mkpasswd(if available on your system).
For this guide, we’ll focus on PHP as it’s widely used.
Step 2: Generate a Random Salt
A salt is a random string added to the password before hashing. This prevents attackers from using pre-computed tables of hashes (rainbow tables). PHP’s password_hash function handles this automatically, so you don’t need to generate it manually.
Step 3: Hash the Password
Use the password_hash function in PHP to hash the password. This function takes the plain-text password and generates a secure hash including the salt.
Important: PASSWORD_DEFAULT uses the strongest available hashing algorithm on your system (usually bcrypt or Argon2id). You can specify other algorithms if needed, but generally it’s best to stick with the default.
Step 4: Store the Hash
Store the $hashedPassword in your database. Never store the plain-text password!
Step 5: Verify the Password When Logging In
When a user tries to log in, retrieve the stored hash from the database and use the password_verify function to compare it with the entered password.
password_verify automatically handles extracting the salt from the stored hash and comparing it to the entered password.
Step 6: Security Considerations
- Cost Factor: The cost factor determines how much computational effort is used when hashing. Higher cost factors are more secure but take longer to compute. PHP automatically manages this, but you can adjust it if necessary (use with caution).
- Regularly Update Libraries: Keep your PHP version and extensions up-to-date to benefit from the latest security improvements.
- Database Security: Protect your database from unauthorized access.