How to securely generate SSHA256 or SSHA512 hashes in PHP?

Question

I am working on a web administration module for mailservers (it\'s open source if you\'d like to take a look).

For that, I need to be able to generate hashed password th

Answer 1

Password generation function in PHP:

$hash = "{SSHA256}".base64_encode(hash('sha256', $password.$salt, true).$salt);

Necessarily "true" - the third parameter...

Answer 2

The Dovecot wiki page you linked to explains what the exact hash format Dovecot uses is. You don't have any choice in the matter -- Dovecot has its expectations on what the hash will look like, so you have to play by its rules:

For most of the salted password schemes (SMD5, SSHA*) the salt is stored after the password hash and its length can vary. When hashing the password, append the salt after the plaintext password, e.g.: SSHA256(pass, salt) = SHA256(pass + salt) + salt.

So an appropriate password generation function in PHP might look like:

$hash = "{SSHA256}" . base64_encode(hash('sha256', $password . $salt) . $salt);