This question already has answers here:
Secure hash and salt for PHP passwords
(14 answers)
Closed 4 years ago.
I used a mysql database to create a user's registration form and in my sign up code, I did not specify the encryption type for password. How do I create a login form in php which requires password?
Please use PHP's built-in functions to handle password security. If you're using a PHP version less than 5.5 you can use the password_hash() compatibility pack. It is not necessary to escape passwords or use any other cleansing mechanism on them before hashing. Doing so changes the password and causes unnecessary additional coding.
Related
This question already has answers here:
Secure hash and salt for PHP passwords
(14 answers)
Closed 4 years ago.
I'm trying to improve my login system and make it more secure.
$hashed_pass = password_hash($pass, PASSWORD_BCRYPT);
Is this function the best way to safely store password and other information in the database?
Is this function the best way to safely store password and other information in the database?
Yes it is safe to use. However, if you're looking for something even more powerful and your server supports it, you can use Argon2.
Reference links are:
https://en.wikipedia.org/wiki/Argon2
http://php.net/manual/en/function.password-hash.php (it's listed with the syntax).
However, using a custom salt has been deprecated in PHP 7.0.0
Warning
The salt option has been deprecated as of PHP 7.0.0. It is now preferred to simply use the salt that is generated by default.
This question already has answers here:
Secure hash and salt for PHP passwords
(14 answers)
Closed 5 years ago.
In storing passwords in php mysql, can i assume the passwords to be safe if i were to run md5 algorithm again and again and with combination of text replacement and rotation?
No, MD5 is not secure to use to create a password verifier.
With PHP use password_hash and password_verify, the pair are secure and easy to use.
When saving a password verifier just using a hash function is not sufficient and just adding a salt does little to improve the security. Instead use a function such as PBKDF2, Rfc2898DeriveBytes, Argon2, password_hash, Bcrypt or similar functions with about a 100ms duration. Make the attacker spend substantial of time finding passwords by brute force.
This question already has answers here:
Implement password recovery best practice
(12 answers)
Closed 7 years ago.
I am currently using password_hash which is one-way hash function so cannot be decrypted. So what exactly should I do for providing password recovery feature for users in case they forget password. Is there any built-in function like verify_password.
The simplest one is, you can email a link to reset the old password with the new one to the user who have forgotten his/her password. This doesn't require decrypting the old password and is pretty secure.
And also, I think this question might be helpful
Effective Techniques for Password Retrieval in Modern Web Applications
This question already has answers here:
Secure hash and salt for PHP passwords
(14 answers)
Closed 8 years ago.
Would the following be a safe way of storing a user's password in a database?
When registering:
$salt=hash("sha512", rand());
$password=hash("sha512", $_POST["password"].$salt);
insert_values_into_db;
When logging in:
$given_password=$_POST["password"];
$salt=get_salt_from_db;
$correct_password=get_password_from_db;
if(hash("sha512", $given_password.$salt) === $correct_password){
//Password is correct
}else{
//Password is incorrect
}
Are there any blatantly obvious errors with this?
Best solution: If you have PHP version 5.5 or above, use the password_hash function. If not, check out the password_compat library by ircmaxwell.
All these hashes are optimized for speed and made to go easy on the processor. (MD5, SHA512, etc.) Because of this cracking them is just as easy. I would either re-hash a couple of more times or just use the crypt method: http://php.net/manual/en/function.crypt.php.
Read more on password hashing in the documentation of PHP: http://php.net/manual/en/faq.passwords.php
The most common way of storing passwords in a database people use is either
md5 the password like : md5($password)
OR
crypt($password)
You could also add double md5 or double crypt for password to be really secure
This question already has answers here:
Secure hash and salt for PHP passwords
(14 answers)
Closed 8 years ago.
Is there an advantage as to where password hash and salt occurs, in PHP vs in a database? It seems having the process occur inside of a database would be the optimal solution; since the web server and the database would only have to exchange the password and not the salt.
It's okay to store the salt in the database. It's an advantage to do so, because you want to use a different random salt per user.
I recommend doing the hashing in the application.
The reason is that if you do the hashing in an SQL expression, and you use query logging on the database server, you might be storing plaintext samples of the user passwords in the query log.
If you're using something better than a simple hash + salt, like PBKDF2, you're going to have to involve PHP at this point AFAIK. So in terms of best location, for me, the best location is in the code because that's where you can do the "best" method of password hashing.