This question already has answers here:
Secure hash and salt for PHP passwords
(14 answers)
Closed 5 years ago.
In my website I use md5 to crypt password user in my database (and store session user)
$pswUser = md5($_POST["password"]);
But I have just been told that this way of encrypting has become obsolete
I did some research to find out how to do it but most of the posts dates from two or three years ago
So what is the best way to encrypt password in 2017 ?
Thank you
Isn't duplicate discussion ...
Secure hash and salt for PHP passwords => 2009 ...
The password hash function in combination with password verify
https://secure.php.net/manual/en/function.password-hash.php
https://secure.php.net/manual/en/function.password-verify.php
Related
This question already has answers here:
How does password salt help against a rainbow table attack?
(10 answers)
How can bcrypt have built-in salts?
(5 answers)
Password hashing, salt and storage of hashed values
(4 answers)
Closed 3 months ago.
I am wondering about how password_verify() verifies the hash, I have reviewed the documentation and many answers in StackOverflow, but I didn't get the idea
because, as I understood, this function will compare the hash with entered password after hashing it again, and use the same salt and cost and algorithm,
but the question here: if anyone can separate the salt from the hashed password, then anybody also can try to use rehash and try to match, and the salt will be useless here. Am I right, or what?
The salt have to be generated randomly each time the fonction is used (and it's what this function does, and not accept custom salt anymore).
For example:
<?php
$password = "nothing";
echo password_hash($password, PASSWORD_DEFAULT);
echo PHP_EOL;
echo password_hash($password, PASSWORD_DEFAULT);
Give the response :
$2y$10$mdJRjsoc1vR11SKa2JDyS.qSlxja/a0SUPuXC1NKsRLkzmayKwjku
$2y$10$H2th6dRY/i.xZzXSGxDZ1uaiwZx6s0.FM0NXcBcBQ0E2aNEHCJ57m
It's the same password with differents results.
The hashed password is stored in a database or a file. In this case, an admin system (or someone who's hacked the database) can't say if the same password is used by differents users. Another point, rainbow tables can't be used with hashed password with salt. Only brut force can be done.
Using the same salt for all is not more secure than using simple hash algorytm.
This question already has answers here:
Is SHA-256 Case Insensitive?
(4 answers)
Closed 5 years ago.
Recently I started to make an UCP for a game server but I come to a problem. The game server hash passwords with sha256 and salt. The hashed password look like this 399B77A0AD470496AE09579C2CA3FAF2F01E8A63D9F4ECFA6F60E32CE2E7E5E9
but the php hash function for sha256 give this hash 399b77a0ad470496ae09579c2ca3faf2f01e8a63d9f4ecfa6f60e32ce2e7e5e9.
When the user input and the password from database it's compared, they are not the same and user can't login.
How to ignore uppercase/lowercase or how to make the hash function to hash the input in uppercase?
Just do:
strtoupper($your-lower-case-hash)
Another option to Matias solution would be
if (0 === strcasecmp($phpHash, $mysqlHash)) {}
see http://php.net/manual/en/function.strcasecmp.php
This question already has answers here:
Implement password recovery best practice
(12 answers)
Closed 7 years ago.
I am currently using password_hash which is one-way hash function so cannot be decrypted. So what exactly should I do for providing password recovery feature for users in case they forget password. Is there any built-in function like verify_password.
The simplest one is, you can email a link to reset the old password with the new one to the user who have forgotten his/her password. This doesn't require decrypting the old password and is pretty secure.
And also, I think this question might be helpful
Effective Techniques for Password Retrieval in Modern Web Applications
This question already has answers here:
Is it possible to decrypt MD5 hashes?
(24 answers)
Closed 8 years ago.
I want to get real password which is converted by wordpress into md5 format.
For example,
my md5 password is - 62cc2d8b4bf2d8728120d052163a77df
Real password - demo123.
I want to get real password from md5 version.
I tried this but didn't give me what I want -http://md5encryption.com/
You cannot unhash a password. That is the whole reason you hash a password in the first place.
It is possible to 'brute' force a password, or use a rainbow table to lookup the password - but that is why you (hopefully) used a salt on the password to ensure the hash is unique.
This question already has answers here:
Secure hash and salt for PHP passwords
(14 answers)
Closed 8 years ago.
I was wondering if
password_hash("custompassgoeshere", PASSWORD_BCRYPT)
Is secure enough in order to store passwords to the DB or if I should add some more SALT in it (I was thinking something like user's username/email/date of birth/etc).
Thanks!
Bcrypt would be secure enough on its own., ensure that you increase the iterations/cost to something high enough (but not too slow for your server). You may need to test a few values to test for acceptable hashing times.
You do not need to salt your passwords, Bcrypt generates unique salts for each hash automatically and stores it with the hash.
See: How can bcrypt have built-in salts?