Geek Answers Handbook

To make my site more secure, am I using password_hash correctly?

I have a VERY small site, and recently I tried to make it more secure, I used to store my passwords in plain text.

I think I'm doing it right, but as a hobby programmer, I want to make sure, so I ask you, professionals

When a user logs in, do the following: password_hash($their_password, PASSWORD_DEFAULT) and save it in the "password" column in the users table. I am using PASSWORD_DEFAULT as it seems the best according to php.net.

Please note that this constant is intended to change over time, as newer and stronger algorithms are added to PHP.

That sounds good!

And the input part (very simple):

 if (count($_POST) > 0) { $username = trim($_POST['username']); $password = trim($_POST['password']); $query = $db->prepare("SELECT password FROM users WHERE username = ?"); $query->execute(array($username)); $row = $query->fetch(); if (password_verify($password, $row['password'])) { echo "Correct password"; // create session... } else { // wrong password }

Maybe I need to check if the username exists, but not what you think?

+7
php
source share
2 answers

It sounds like you understood the documentation very well and how to build the necessary code. Shame on you for using a plain text password even temporarily, but fix your decision using the correct method (i.e. Not md5 , for example me a stupid person (I really need to upgrade my password saving systems ...) ) is awesome.

The only problem I see is that some people can start or end their passwords with a space. Such passwords lose their leading / trailing spaces, and indeed, the user may be alarmed that they may be logged in with two spaces or not! Therefore, it is probably best to remove these trim calls;)

+2
source share

Hi :) I am also a hobbyist, and I think I can point you in the right direction, despite the fact that I do not know how magic happens. 1) the user enters his password, the program encrypts using a specific method, and this secret password is saved. 2) bam. NOBODY can see what the original is - even the user who entered it. When entering the system, this operation is repeated, and the password “any user enters to enter” is encrypted with the same process, and then compared with the encrypted saved password. They must match if they were the same unencrypted original.

Well

For added security, something called a “salt” is sometimes added to the encryption process, making it even harder to crack a password. Tell me, did someone somehow grab your encryption code and the encrypted password list and try to get the process back by reverse engineering your code? Well, now this person has additional work to find out what your “salt” was ... (it could be a string stored on your server, a smart game “with dates of the month”, etc. .... many options ), This is what I remember from what I read. Lots of pointers to get you started. And further:

I use this: what I got from somewhere on the Internet a few years ago

  function encryptTheString($password, $salt, $iter_count=4096, $keylen=64, $hash_alg= 'sha256' ) { // Compute the length of hash alg output. // Some folks use a static variable and save the value of the hash len. // Considering we are doing 1000s hmacs, doing one more won't hurt. $hashlen = strlen(hash($hash_alg, null, true)); // compute number of blocks need to make $keylen number of bytes $numblocks = ceil($keylen / $hashlen); // blocks are appended to this $output = ''; for ($i = 1; $i <= $numblocks; ++$i) { $block = hash_hmac($hash_alg, $salt . pack('N', $i), $password, true); $ib = $block; for ($j = 1; $j < $iter_count; ++$j) { $block = hash_hmac($hash_alg, $block, $password, true); $ib ^= $block; } $output .= $ib; } // extract the right number of output bytes return substr($output, 0, $keylen); }

And a call like

 $ePassword=ANDYETpbkdf2($password,"111111111122222222223333333333444444444455555555566666666661234");

It would be perfectly fine: give sha256 a reading to begin further enlightenment.

-3
source share

More articles:


All Articles