php - How can I store my users' passwords safely? -


How much more secure than plain? I've just started looking for password protection, I'm very new to PHP.

  $ salt = 'csdnfgksdgojnmfnb'; $ Password = MD5 ($ salt. $ _ POST ['password']); $ Result = mysql_query ("User Select WHERE user id = '" .mysql_real_escape_string ($ _ POST [' username ']).' 'And password =' ​​$ password '"); if (mysql_num_rows ($ result) & lt ; 1) {/ * Access denied / / echo "The username or password you entered is incorrect.";} And ($ _SESSION ['id'] = mysql_result ($ result, 0, 'id'); #header "Location: ./"); "Hello $ _SESSION [id] echo"!}  

< P> The easiest way to secure your password storage plan is to a standard library .

Why Security becomes more complex and most programmers can deal alone with more invisible screw-up possibilities, using a standard library is almost always the easiest and safest (if only available) options.

< P>

New PHP Password API (5.5.0 +)

If you are using PHP version 5.5 .0 or newer, you have the new Simplified Password hashing API Can use

PHP's password API Example using code:

  & lt ;? Php // $ hash will store in your database $ hash = password_hash ($ _ POST ['password'], PASSWORD_DEFAULT, ['cost' => 12];); $ $ Hash $ hash (above) will be stored in your database for this user $ checked = password_verify ($ _ POST ['password'], $ hash); If ($ check) {echo 'password correct'; } And {echo 'wrong credentials'; }  

(If you are still using legacy 5.3.7 or newer you can install build-in functions to access it)

< P>

Improve on salty hash: add black pepper

If you want extra protection, then safety people (2017) will be a '' (automatically) salted The password recommend to add hashes.

There is a simple drop in the class, which adheres to this method safely, I suggest: ().
It comes with MIT license, so you want to use it though, even in proprietary projects.

The code example Netlik / Pepper password :

   


Old Standard Library

Please note: you should not be It needs now! This is only for historical purposes.

: Take a look at phpass and make sure that you use the CRYPT_BLOWFISH algorithm all possible.

Example of code using phpass (v0.2):

   HashPassword ($ password); $ $ Hash $ hash (above) will be stored in your database for this user $ check = $ pwdHasher- & gt; Checkpassword ($ password, $ hash); If ($ check) {echo 'password correct'; } And {echo 'wrong credentials'; }  

PHPass has been implemented in some well-known projects:

  • phpBB3
  • bbPress with WordPress 2.5+ as well

The good thing is that you do not have to worry about the details, those details have been reviewed by people on the Internet and by many people.

For more information about password storage plans, read the 'Blog Post':

Anyway, if you ' I will do my own, thank you ' If you are done, you do this, do not use Use MD5 or SHA1 now . They are good hashing algorithms, but they are considered broken for security purposes .

Currently, using CRYPT_BLOWFISH is the best practice. CRYPT_BLOWFISH BCRPP hash in PHP. Bitcript is based on bluffish block cipher, which uses expensive key setup to slow down the algorithm.


Comments

Popular posts from this blog

MySql variables and php -

url rewriting - How to implement the returnurl like SO in PHP? -

Which Python client library should I use for CouchdB? -