In my website I use md5
to crypt password user in my database (and store session user)
$pswUser = md5($_POST["password"]);
But I have just been told that this way of encrypting has become obsolete
I did some research to find out how to do it but most of the posts dates from two or three years ago So what is the best way to encrypt password in 2017 ?
Thank you
Isn't duplicate discussion ... Secure hash and salt for PHP passwords => 2009 ...
Luckily, PHP makes this easy thanks to password_hash() . $hash = password_hash($password, PASSWORD_DEFAULT); The password_hash() function not only uses a secure one-way hashing algorithm, but it automatically handles salt and prevents time based side-channel attacks.
Google recommends using stronger hashing algorithms such as SHA-256 and SHA-3. Other options commonly used in practice are bcrypt , scrypt , among many others that you can find in this list of cryptographic algorithms.
The functions which are generally used to encrypt the username and password in php are md5(), sha1() and base64_encode.
The best way to encrypt and decrypt passwords is to use a standard library in PHP because the method of properly encrypting and decrypting passwords from scratch is complex and involves multiple possibilities of security vulnerabilities. Using the standard library ensures that the hashing implementation is verified and trusted.
Now how to store password in 2017. The answer is to use a very slow hashing algorithm with some random salt. The PHP official recommends one is the bcrypt algorithm. The bcrypt is very slow and since we are adding some random salt along with it is literally impossible for the attacker to crack a password.
Secret Key Encryption is also called Symmetric encryption, The Secret Key Encryption of the PHP uses just one key, called a shared secret, for both encrypting and decrypting. To encrypt the data, Here one same key is used by the sender (for encryption) and the receiver (for decryption). So the key is shared.
The PHP official recommends one is the bcrypt algorithm. The bcrypt is very slow and since we are adding some random salt along with it is literally impossible for the attacker to crack a password. PHP provide a default function called password_hash to hash the password using bcrypt with random salt and password_verify function to verify it.
The password hash function in combination with password verify
https://secure.php.net/manual/en/function.password-hash.php https://secure.php.net/manual/en/function.password-verify.php
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With