This question already has answers here:
Implement password recovery best practice
(12 answers)
Closed 7 years ago.
I am currently using password_hash which is one-way hash function so cannot be decrypted. So what exactly should I do for providing password recovery feature for users in case they forget password. Is there any built-in function like verify_password.
The simplest one is, you can email a link to reset the old password with the new one to the user who have forgotten his/her password. This doesn't require decrypting the old password and is pretty secure.
And also, I think this question might be helpful
Effective Techniques for Password Retrieval in Modern Web Applications
Related
This question already has answers here:
Secure hash and salt for PHP passwords
(14 answers)
Closed 4 years ago.
I used a mysql database to create a user's registration form and in my sign up code, I did not specify the encryption type for password. How do I create a login form in php which requires password?
Please use PHP's built-in functions to handle password security. If you're using a PHP version less than 5.5 you can use the password_hash() compatibility pack. It is not necessary to escape passwords or use any other cleansing mechanism on them before hashing. Doing so changes the password and causes unnecessary additional coding.
This question already has answers here:
Secure hash and salt for PHP passwords
(14 answers)
Closed 5 years ago.
In storing passwords in php mysql, can i assume the passwords to be safe if i were to run md5 algorithm again and again and with combination of text replacement and rotation?
No, MD5 is not secure to use to create a password verifier.
With PHP use password_hash and password_verify, the pair are secure and easy to use.
When saving a password verifier just using a hash function is not sufficient and just adding a salt does little to improve the security. Instead use a function such as PBKDF2, Rfc2898DeriveBytes, Argon2, password_hash, Bcrypt or similar functions with about a 100ms duration. Make the attacker spend substantial of time finding passwords by brute force.
This question already has answers here:
Secure hash and salt for PHP passwords
(14 answers)
Closed 5 years ago.
In my website I use md5 to crypt password user in my database (and store session user)
$pswUser = md5($_POST["password"]);
But I have just been told that this way of encrypting has become obsolete
I did some research to find out how to do it but most of the posts dates from two or three years ago
So what is the best way to encrypt password in 2017 ?
Thank you
Isn't duplicate discussion ...
Secure hash and salt for PHP passwords => 2009 ...
The password hash function in combination with password verify
https://secure.php.net/manual/en/function.password-hash.php
https://secure.php.net/manual/en/function.password-verify.php
This question already has answers here:
Secure hash and salt for PHP passwords
(14 answers)
Closed 8 years ago.
Would the following be a safe way of storing a user's password in a database?
When registering:
$salt=hash("sha512", rand());
$password=hash("sha512", $_POST["password"].$salt);
insert_values_into_db;
When logging in:
$given_password=$_POST["password"];
$salt=get_salt_from_db;
$correct_password=get_password_from_db;
if(hash("sha512", $given_password.$salt) === $correct_password){
//Password is correct
}else{
//Password is incorrect
}
Are there any blatantly obvious errors with this?
Best solution: If you have PHP version 5.5 or above, use the password_hash function. If not, check out the password_compat library by ircmaxwell.
All these hashes are optimized for speed and made to go easy on the processor. (MD5, SHA512, etc.) Because of this cracking them is just as easy. I would either re-hash a couple of more times or just use the crypt method: http://php.net/manual/en/function.crypt.php.
Read more on password hashing in the documentation of PHP: http://php.net/manual/en/faq.passwords.php
The most common way of storing passwords in a database people use is either
md5 the password like : md5($password)
OR
crypt($password)
You could also add double md5 or double crypt for password to be really secure
This question already has answers here:
Secure hash and salt for PHP passwords
(14 answers)
Closed 8 years ago.
Is there an advantage as to where password hash and salt occurs, in PHP vs in a database? It seems having the process occur inside of a database would be the optimal solution; since the web server and the database would only have to exchange the password and not the salt.
It's okay to store the salt in the database. It's an advantage to do so, because you want to use a different random salt per user.
I recommend doing the hashing in the application.
The reason is that if you do the hashing in an SQL expression, and you use query logging on the database server, you might be storing plaintext samples of the user passwords in the query log.
If you're using something better than a simple hash + salt, like PBKDF2, you're going to have to involve PHP at this point AFAIK. So in terms of best location, for me, the best location is in the code because that's where you can do the "best" method of password hashing.