Why do you need to store a password in general, even an encrypted version? Is your site accessing a third-party API in a backend that runs HTTP Basic auth or something else?
Unfortunately, there is no final answer to your question. “Suitable” means different things to different people. And with security issues, I'm not sure that it is ever possible to be “sufficiently suitable” or “sufficiently safe”. However, here I handle logins and password security. In my users database, I have 3 columns related to registration:
The username column is in plain text. The salt column is a 64-character string of randomly selected alphanumeric characters. The passwordHash column is the user password associated with their salt value and then hashed irreversibly. I use sha256 for my hashes. Salt is 64 characters, because that is what sha256 produces. It's good to have a salt value, at least as long as the hash to get enough variability in the hashed string.
When a user submits a login form, I make a database request for the username. If the username is not found, I am showing the user the error "Invalid username and / or password." If the username is found, I combine the salt with the password, the hash file and see if the passwordHash value matches. If not, the user will be shown exactly the same error.
It is good to show the same error message regardless of whether the username was incorrect, or the password was incorrect, or both. The fewer hints you give the hacker, the better. In addition, whenever a user changes his password, I also give them a new salt . It is really easy to do at that point in time, and it keeps the salt values ​​a little fresher.
This system, having a different salt for each user, is called dynamic saltation. This greatly complicates the work of a hacker if they try to use rainbow tables to reverse engineer user passwords. Not to mention that storing passwords in an irreversibly hashed form has a very large way for someone to determine the user's password, even if they have access to the database and PHP code.
It also means that your user forgets his password and there is no way to retrieve it. Instead, you only write your system to reset to a new random value, which is sent to them along with a strong promotion to change the password as soon as they log in again. You can even write your system to force it the next time you log in successfully.
I need passwords to be at least 8 characters long. Ideally, it should also include numbers and special characters, but I have not decided yet what it should require. Maybe I should!
To protect against brute-force attacks, I track all failed logins for the previous 10 minutes. I track them for every IP address. After 3 failed login attempts, the system uses the sleep() function to delay the response to further login attempts. I use the code block as follows:
$delay = ($failedAttempts - 3); if ($delay > 0) { sleep($delay); }
IMHO is much better than blocking users from their accounts after a hard number of crashes. This reduces the number of customer support requests you receive, and is more graceful for legitimate users who simply cannot remember their own passwords. Brute-force attacks must make many attempts per second in order to have some kind of efficiency, so a delay based on n = x does not allow them to get very far.
Input sessions are tracked using PHP sessions. Call session_start() when every page of your site loads. (This is very simple if you have a common header.php file.) This makes the $ _ SESSION variable available. When a user successfully logs in, you can use it to store the information your site needs to know that the user is logged in. I usually use their user ID, username, and possibly some other site specific details. But I do not include a password or hash here. If somehow the hacker got into the user session data stored on your server, they still will not be able to find the user password in this way.
Logging out occurs when one of two things happens: Either 1) A cookie is deleted from the user's session, for example, by clearing the browser’s cache, and sometimes just closing the browser window, or 2) The server will delete its session data. You can make the latter happen by calling session_destroy() when the user clicks the "Logout" button on your site. Otherwise, you can force the sessions to automatically expire after a certain period of time. This may include setting session.gc_* parameters in php.ini .
If you must know the user password after the initial login phase, you can save it in $_SESSION . DO IT IF AND ONLY IF your site requires an SSL connection, and you did this to prevent the site from working without it. Thus, the password is encrypted and protected from sniffing packets . But be aware that this is a security risk if a hacker gains access to your server session data.