This question is about a specific programming problem I am having - I want to make sure that my code (and software algorithm) are sufficient enough to store user credentials in a database.
// Get a 32 character salt like '69Mt6nexL1rsjWnu011S53MpB/WmT4Vl'
$passwordSalt = Security::generateBase64Salt();
$user = new User();
$user->setUsername($_POST['username']);
// $_POST['password'] comes in as a 128 character string
// Client side javascript is used to sha512 the string before sending it over POST
// see http://pajhome.org.uk/crypt/md5/
// This prevents novice eavesdroppers from capturing the raw password in plaintext
$user->setPassword(
hash('sha512', $passwordSalt.$_POST['password'])
);
$user->setPasswordSalt($passwordSalt);
$user->save();
Here's the database entry for a particular password:
Password:
69a78a7586a111b8a567b2d4f42f93f01fb59d337f7fa3c35949a66b246095778c1fa01ff4026abace476091e1e9a183bbdec1c31b12ce3f786921895c98cf6f
Salt:
69Mt6nexL1rsjWnu011S53MpB/WmT4Vl
Questions:
For Fun:
I'll PayPal you $5 if you can provide me with the original password using the salt and salt + password hash.
Commonly used hashing algorithms include Message Digest (MDx) algorithms, such as MD5, and Secure Hash Algorithms (SHA), such as SHA-1 and the SHA-2 family that includes the widely used SHA-256 algorithm.
PHP provides a native password hashing API that safely handles both hashing and verifying passwords in a secure manner. Another option is the crypt() function, which supports several hashing algorithms.
User has to create a password and use it for login to the website. But it is very important to secure the password of the user. password_hash() function provides the facility to securely store the password of the user to the database.
Everything Kendall said, and ..
.. Skip the hashing that you perform client side in javascript. Instead, just buy a SSL certificate and post the credentials over https. Will protect you from novice eavesdroppers as well as seasoned attackers.
And besides, once you hash on the client side, that effectively becomes your password. If an eavesdropper gets hold off the hashed password, he can pass it to your server and things would just work.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With