Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Making my site more secure, Am I using password_hash correct? [duplicate]

Tags:

php

I have a VERY small site and recently I've been trying to make it more secure, I used to store my passwords in plain text.

I think Im doing it right, but as a "hobby" programmer I wanna make sure so I ask you, the professionals

When a user register I do: password_hash($their_password, PASSWORD_DEFAULT) and store that in the 'password' column in the users table. I use PASSWORD_DEFAULT as that seems the best according to php.net.

Note that this constant is designed to change over time as new and stronger algorithms are added to PHP."

Sounds good!

And the Login part (very simple):

if (count($_POST) > 0) {

$username = trim($_POST['username']);
$password = trim($_POST['password']);

$query = $db->prepare("SELECT password FROM users WHERE username = ?");
$query->execute(array($username));
$row = $query->fetch();

if (password_verify($password, $row['password'])) {
    echo "Correct password";
    // create session...
} else {
    // wrong password
}

Maybe I should check if the username exists first but other than that what do you think?

like image 896
Smugglaren Avatar asked Mar 01 '15 13:03

Smugglaren

People also ask

How secure is password_hash PHP?

The result hash from password_hash() is secure because: It uses a strong hashing algorithm. It adds a random salt to prevent rainbow tables and dictionary attacks.

Is double hashing more secure?

Unlike existing hash-based ciphers, the proposed scheme uses double hashing instead of a single hash function. With double hashing, the proposed scheme totally eliminates the threat of known cryptanalysis attacks and provides a highly secure stream ciphering scheme by its new design.

What is password_hash?

password_hash() creates a new password hash using a strong one-way hashing algorithm. The following algorithms are currently supported: PASSWORD_DEFAULT - Use the bcrypt algorithm (default as of PHP 5.5. 0). Note that this constant is designed to change over time as new and stronger algorithms are added to PHP.

Can you decrypt password_hash?

Decryption of the password: To decrypt a password hash and retrieve the original string, we use the password_verify() function. The password_verify() function verifies that the given hash matches the given password, generated by the password_hash() function.

1 Answers

You appear to have perfectly understood the documentation and how to construct the code you need. Shame on you for using plaintext password even temporarily, but your decision to fix with the correct method (ie. not md5 like me a silly person (I really need to update my password saving systems...)) is awesome.

The only issue I can see is that some people might have their passwords start or end with a space. Such passwords would lose their leading/trailing spaces and indeed the user may be alarmed that they can log in with two spaces, or none! So probably best to remove those trim calls ;)

like image 83
Niet the Dark Absol Avatar answered Sep 26 '22 06:09

Niet the Dark Absol
Sign in to Comment

Related questions

INSERT if not exists, else return id
Does using hex encoding to prevent SQL injections have any weaknesses?
Configuration parameter in xdebug for allowing multiple hosts on remote machine
In PHP, how do I express a string literal on multiple lines without the new lines appearing in the rendered text?
Easy ways to convert a MYSQL-connected dynamic PHP site into a CMS?
Is using native PHP functionality faster than doing the same thing in PHP loops? Why?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!