This question already has answers here:
Secure hash and salt for PHP passwords
(14 answers)
Closed 8 years ago.
Is there an advantage as to where password hash and salt occurs, in PHP vs in a database? It seems having the process occur inside of a database would be the optimal solution; since the web server and the database would only have to exchange the password and not the salt.
It's okay to store the salt in the database. It's an advantage to do so, because you want to use a different random salt per user.
I recommend doing the hashing in the application.
The reason is that if you do the hashing in an SQL expression, and you use query logging on the database server, you might be storing plaintext samples of the user passwords in the query log.
If you're using something better than a simple hash + salt, like PBKDF2, you're going to have to involve PHP at this point AFAIK. So in terms of best location, for me, the best location is in the code because that's where you can do the "best" method of password hashing.
Related
This question already has answers here:
How to use PHP's password_hash to hash and verify passwords
(5 answers)
Closed 10 months ago.
I want to hash passwords in PHP then send the result to MySQL.
From time to time I might want to use the available hashing functions in PHPMyAdmin to update/reset passwords.
I used to use MD5 for this in the past. As its available in PHP, PHPMyAdmin and in MySQL.
However MD5 is no longer an option due to security concerns.
I looked into SHA1 and that is no longer an option either.
SHA2 does not seem to be available in PHPMyAdmin so that wont work for easy password resetting.
One version of PHPMyAdmin I saw used password_hash but it wasn't available on another server so that is one issue. Another issue is it seems to produce a different output each time the function is run probably because of a random salt.
Is there a password hashing function that I can call from PHP, that will also be available in PHPMyAdmin and in MySQL as well?
Basically what should I replace MD5 with?
Gone are the days when there is a similar hashing function in all 3 areas.
I liked how MD5 was available in all 3 areas being PHP, PHPMyAdmin and MySQL. Since password_hash is the recommended way to hash passwords with PHP I will have to use that.
For resetting passwords in PHPMyAdmin I may allow MD5 hash and have the application update it to php password_hash next time the user logs in similar to how Wordpress did it. [If anyone sees a problem with this method I would like to be made aware]
This question already has answers here:
Secure hash and salt for PHP passwords
(14 answers)
Closed 5 years ago.
In storing passwords in php mysql, can i assume the passwords to be safe if i were to run md5 algorithm again and again and with combination of text replacement and rotation?
No, MD5 is not secure to use to create a password verifier.
With PHP use password_hash and password_verify, the pair are secure and easy to use.
When saving a password verifier just using a hash function is not sufficient and just adding a salt does little to improve the security. Instead use a function such as PBKDF2, Rfc2898DeriveBytes, Argon2, password_hash, Bcrypt or similar functions with about a 100ms duration. Make the attacker spend substantial of time finding passwords by brute force.
This question already has answers here:
Secure hash and salt for PHP passwords
(14 answers)
Closed 8 years ago.
I was wondering if
password_hash("custompassgoeshere", PASSWORD_BCRYPT)
Is secure enough in order to store passwords to the DB or if I should add some more SALT in it (I was thinking something like user's username/email/date of birth/etc).
Thanks!
Bcrypt would be secure enough on its own., ensure that you increase the iterations/cost to something high enough (but not too slow for your server). You may need to test a few values to test for acceptable hashing times.
You do not need to salt your passwords, Bcrypt generates unique salts for each hash automatically and stores it with the hash.
See: How can bcrypt have built-in salts?
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
PHP 2-way encryption: I need to store passwords that can be retrieved
Lately I'm a little confused reading several tutorials on storing passwords in databases. Most sites say that the best is using a hash and a salt to store the passwords or also store the passwords in two parts or add a general key for all passwords.
I saw several methods with crypt, sha, sha256, md5 and blowfish.
My question is, using crypt function with blowfish is safe or there are better/safer and more effective methods for storing passwords?
Well, apart from the obvious, not storing, hashing etc...
I'd say don't use the regular {MD5, SHA1, SHA256, SHA512, SHA-3, etc} if you can, even if you can salt them. Reasons for this can be found at:
http://codahale.com/how-to-safely-store-a-password
Simply put: use bcrypt
You might want to read up on this topic on
Password hashing, salt and storage of hashed values
http://dustwell.com/how-to-handle-passwords-bcrypt.html
https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
This question already has answers here:
Closed 12 years ago.
Possible Duplicate:
Is it possible to decrypt md5 hashes?
Reversing an MD5 Hash
hi there is any way to decrypt md5 password field to allow user to edit password in form using javascript. or php.
MD5 is one way hashing algorithm - not a means of encrypting. As such, there's no means of decrypting it - only checking to see if another source input has the same hash.
No, there is no way, since hashing is not a reversible operation.
Your question is not very clear, but recovery of the origional string for hashes can be done with rainbowtables: http://en.wikipedia.org/wiki/Rainbow_table
(if the hash was salted, this will become troublesome ofcourse)
I wrote an app a few years back that brute-forces MD5 hashes against wordlists and previously-cracked MD5 hashes it finds via search engines, see if it comes up with anything for you:
http://bigtrapeze.com/md5/