This question already has answers here:
Secure hash and salt for PHP passwords
(14 answers)
Closed 5 years ago.
What is the best way to encrypt a password in Php. Codeigniter's documentation says that password should be hashed using php's Password Hashing extension. Until now i have been encrypting password's using encryption key of codeigniter. Any suggestions.
Use this is for password Hashing
<?php
/**
* We just want to hash our password using the current DEFAULT algorithm.
* This is presently BCRYPT, and will produce a 60 character result.
*
* Beware that DEFAULT may change over time, so you would want to prepare
* By allowing your storage to expand past 60 characters (255 would be good)
*/
echo password_hash("rasmuslerdorf", PASSWORD_DEFAULT)."\n";
?>
Use this is for password Hashing Verify
<?php
// See the password_hash() example to see where this came from.
$hash = '$2y$07$BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq';
if (password_verify('rasmuslerdorf', $hash)) {
echo 'Password is valid!';
} else {
echo 'Invalid password.';
}
?>
You can also use md5() function for password encryption and Decryption.
Here is the example :
$password = '123456789';
$encrypted_password = md5($password);
echo "Encrypted Password :".$encrypted_password;
-------------------
Output :
Encrypted Password : 25f9e794323b453885f5181f1b624d0b
Now to check entered password is correct or not ( for example login ) get stored md5 password from the database and you can check it this way.
$entered_password = '123456789';
$encrypted_password = md5($entered_password);
if($encrypted_password == $password){
echo "Success";
}else{
echo "Fail";
}
Related
This question already has answers here:
How to verify_password from a database
(2 answers)
Closed 3 years ago.
So I have a login page which worked fine without hashed passwords but of course, that wasn't secure so I decided to hash the passwords when registering.
but I don't know how and where should I use verify_password when I'm selecting the password from the database. I use while to see if there is a result with the username and password entered like this:
$q = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$x = $conn->query($q);
if ($x->num_rows > 0) {
while ($row = $x->fetch_assoc()) {
//Logged in seccesfully!
}
} else {
// Username or password is wrong!
}
password_hash() function can simplify our lives and our code can be secure. When you need to hash a password, just feed it to the function and it will return the hash which you can store in your database.
$hash = password_hash($password, PASSWORD_DEFAULT);
Now that you have seen how to generate hashes with the new API, let’s see how to verify a password. Remember that you store the hashes in a database, but it’s the plain password that you get when a user logs in.
The password_verify() function takes a plain password and the hashed string as its two arguments. It returns true if the hash matches the specified password.
<?php
if (password_verify($password, $hash)) {
// Success!
}
else {
// Invalid credentials
}
for more info read
I am using sha1 for my password security. I have stored password in this way in register.php
// secure password
$salt = openssl_random_pseudo_bytes(20);
$secured_password = sha1($password . $salt);
//Send it to mysql table
$result = $access->registerUser($username, $secured_password, $salt, $email, $fullname);
This all is working fine.
Problem is here:
In my login.php
$password = htmlentities($_POST["password"]);
$secure_password = $user["password"];
$salt = $user["salt"];
// 4.2 Check if entered passwords match with password from database
if ($secure_password == sha1($password . $salt)) {
//do something
} else {
//do something
}
I am always getting as password does not match.
where am I going wrong?
First is first. NEVER USE SHA OR MCRYPT TO STORE YOUR PASSWORD.
EDIT : The password_hash() function generates a long password hash, so make sure that your column in the mysql is a VARCHAR of 500 space
All these useless practises is the root reason why almost many websites get hacked. To tackle the situation, php did a lot of research and then at last came with the most secure function called the password_hash(). I am not more onto explaining about password_hash() here as there are already many documents on the internet.
You can always hash a password like this
<?php
$securePassword = password_hash($_POST['password'], PASSWORD_DEFAULT);
$query = $db->query('INSERT INTO users ......');
?>
And, to verify the password, you can simply use this function
<?php
$passwordHash = $query['password']; //Password from database
$userPassword = $_POST['password']; //Password from form
if(password_verify($userPassword, $passwordHash)) {
echo 'Password is correct, logged in!';
} else {
echo 'Password is wrong, try again';
}
?>
And, answer for your question.
PLEASE DON'T USE SHA OR MCRYPT OR BCRYPT. IF YOU WANNA GET YOUR WEBSITE HACKED, THEN CONTINUE. OR USE password_hash()
The reason you don't get the hash genereated each time because the openssl_random_pseudo_bytes() generates random numbers each time. So each time, during execution, the function returns different numbers and you get your sha result wrong and thus giving a FALSE alert.
PLEASE, AGAIN. I BEG YOU TO USE password_hash() FUNCTION
For more information on password_hash() and password_verify() :
http://php.net/manual/en/function.password-hash.php
http://php.net/manual/en/function.password-verify.php
This question already has answers here:
Using PHP 5.5's password_hash and password_verify function
(4 answers)
Closed 7 years ago.
I am using this to hash passwords: https://github.com/ircmaxell/password_compat
$hash = password_hash($pass1, PASSWORD_BCRYPT, array("cost" => 16));
if (password_verify($password, $hash)) {
/* Valid */
} else {
/* Invalid */
}
It works. It hashed passwords. But I dont know how to verify the password in the login page. I have tried with seesions but it doesnt work with sessions too.
you have to put the Hash in Database
Step one : create and store the hash in database
$hash = password_hash($pass1, PASSWORD_BCRYPT, array("cost" => 16));
Step two : login
$hash = // hash of user from database by unique id
$password = // string submit by user from login form
if (password_verify($password, $hash)) {
if (password_needs_rehash($hash, PASSWORD_BCRYPT, array("cost" => 16))) {
$hash = password_hash($password, PASSWORD_BCRYPT, array("cost" => 16));
/* Store new hash in db */
}
} else {
/* Invalid */
}
Hope it will be help you
The way I have done it in the past is in the following steps:
1) User submits their Username/password combination.
2) I see if the Username exists in the database, if it does I pull out that user record from the database, if it doesn't I present a generic error to the user (i.e. wrong username/password combination)
3) I then use the password_verify function with the submitted password against the hashed password connected to the user they are trying to log in as.
4) If its true, they're logged in otherwise I present the same generic error to the user (wrong username/password combination)
Basically you have to hash the password user puts in login page and check if the saved hash in database is equal to hashed password that user sends on login.
I am using the password_hash() function.
Now it works to hash the password, but how do I verify it?
Well the function for this option is called: password_verify.
How it does work is this;
<?php
$password = "[PASS]"; //Password user fill in.
$hash= "[HASH]"; //The hashed password that you saved.
$checkPass = password_verify($password, $hash); //This returns a boolean; true or false
if ($checkPass == true)
{
echo 'Password is good!';
}
else
{
echo 'Password is wrong!';
}
?>
boolean password_verify ( string $password , string $hash )
Verifies that the given hash matches the given password.
Note that password_hash() returns the algorithm, cost and salt as part of the returned hash. Therefore, all information that's needed to verify the hash is included in it. This allows the verify function to verify the hash without needing separate storage for the salt or algorithm information.
password
The user's password.
hash
A hash created by password_hash()
http://php.net/manual/en/function.password-verify.php
Hey guy's i'm trying to make a login system which uses MD5 encryption for the password. I have the encrypting to work and all it's just for some reason when i enter the password "palmer" into the login page and click the login button i made it send me to a page where it tells me encrypted password and using "palmer" as the password it outputs this "Duncan Logged in using password 4844fd4088ef5278ad18f892808ebda8 - palmer". THe password in the database when encrypted is "4669a6b46c8d891b373cfcd664dff6". Why are the two passwords different? I am using the same Salt(the salt is "a123b123".
Below is my code which encrypts password on register:
$password = $_POST['password'];
$md5pass = md5($salt.md5($password));
Below is my login code.
<?php
session_start();
include('config/config.php');
$email = $_POST['email'];
$password = $_POST['password'];
$pass2 = md5($salt.md5($password));
$check = mysql_query("SELECT `email`,`password` FROM user WHERE (`email`='$email' AND `password`='$pass2')") or die(mysql_error());
$count = mysql_num_rows($check);
//if($count == 1) {
$_SESSION['user'] = strtoupper($user);
//header('Location: /panel/index.php');
echo("Duncan Logged in using password $pass2 - $pass");
//} else {
//$_SESSION['errormsg'] = "<div id='error'><strong>Error:</strong> Invalid Username or Password!</div>";
//header('Location: index.php');
//}
?>
you have to store your salt – and please, use a random salt, this way two users with the same password will get a different digest! – somewhere for later use:
$salt = sha1(getRandomSalt());
$digest = sha1($password.$salt).'$'.$salt; // use sha1 instead of md5
later you can check the provided password with the same salt:
list($stored_pw, $stored_salt) = explode('$', $stored_digest);
if($stored_pw == sha1($user_provided_pw.$stored_salt)) {
echo 'user provided correct password';
}
You should really use bcrypt for this. There is more on bcrypt on previous Stack Overflow post How do you use bcrypt for hashing passwords in PHP?
bcrypt is considered the most secure way to implement password hashing with salt because it is slow - much slower than an MD5.
Just a little comment to knittl's solution from above:
You need to replace the line
if($stored_pw = sha1($user_provided_pw.$stored_salt)) {
by
if($stored_pw == sha1($user_provided_pw.$stored_salt)) {
to get it working.
(I tried to add it to knittl's post, but it says edits need to be at least 6 characters long)