Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Best practices: safest method to store passwords in a table? [closed]

Tags:

security

php

password-encryption

I am using PHP. I used to use native mysql function password() to store passwords. I was told that password() is not safe anymore. What would be the best method to store passwords in PHP? is it MD5?

like image 776
Moon Avatar asked Oct 20 '09 05:10

Moon

3 Answers

Updated Answer 2016:

The winner of the PHC (Password Hashing Competion) was Argon2. Hashing passwords with Argon2 is the best practice as of 2016.

PHC ran from 2013 to 2015 as an open competition—the same kind of process as NIST's AES and SHA-3 competitions, and the most effective way to develop a crypto standard. We received 24 candidates, including many excellent designs, and selected one winner, Argon2, an algorithm designed by Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich from University of Luxembourg.

We recommend that use you use Argon2 rather than legacy algorithms.

The reference implementation is available on GitHub.

Updated Answer 2012:

The original answer I gave below was once considered to be a best practice. However, advances in hash-computing technology have rendered these schemes vulnerable. Going forward, the only secure password hashing schemes are iterative hashes such as bcrypt and PBKDF2. For a full discussion, see Jeff Atwood's analysis.

Original Answer 2009:

I recommend first prepending a salt value to your password, followed by hashing the resultant string with a reasonably strong hashing function like SHA256. This secures against the obvious (plain text passwords) and the not so obvious (attack using Rainbow tables).

Keep in mind that if you store passwords in this way, you will not be able to retrieve a user's lost password. They'll only be able to reset passwords. This is because you'll be using a one way hash. But this limitation is generally worth the tradeoff for a more secure password storage system. Even if your database is compromised, your user's passwords will still be exceedingly difficult and probably unpractical to recover by a would be attacker.

like image 167
Asaph Avatar answered Nov 19 '22 00:11

Asaph

bcrypt is actually more secure. See: Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes

like image 25
Jay Sidri Avatar answered Nov 18 '22 22:11

Jay Sidri

You need to salt the password.

vBulletin does a pretty good job at storing passwords. md5(md5(password) + salt);

like image 2
jdelator Avatar answered Nov 18 '22 23:11

jdelator
Sign in to Comment

Related questions

How to remove JS comments using PHP?
Symfony2: how to read parameters array in config.yml
Laravel hasManyThrough equivalent: belongsTo relationship through another model
Where do I put my Hello world PHP file on Ubuntu?
CakePHP get action name
Can you iterate over the properties of an eloquent object?
Google_Service_Directory - (403) Not Authorized to access this resource/api
Stripe: How to set up recurring payments without plan?
Yii2, Custom validation message with attribute names
Required @SWG\Info() not found
Laravel Attach/Detach model from pivot depending on pivot extra field
Render PHP file into string variable
view path not found
Test methods fail using Storage. Illuminate\Http\Testing\imagepng() in Laravel
Center all text in PHPSpreadsheet and make the cells expand to fill up with context
I am getting error in wamp for PHP in path
Symfony 5 & EasyAdmin 3.0 - /admin route not found
Laravel: Target [Lcobucci\JWT\Parser] is not instantiable
What is a callback function and how do I use it with OOP
Is there a way to share object between php pages?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!