php - How can I store my users' passwords safely? -

How much more secure than plain? I've just started looking for password protection, I'm very new to PHP.

  $ salt = 'csdnfgksdgojnmfnb'; $ Password = MD5 ($ salt. $ _ POST ['password']); $ Result = mysql_query ("User Select WHERE user id = '" .mysql_real_escape_string ($ _ POST [' username ']).' 'And password =' ​​$ password '"); if (mysql_num_rows ($ result) & lt ; 1) {/ * Access denied / / echo "The username or password you entered is incorrect.";} And ($ _SESSION ['id'] = mysql_result ($ result, 0, 'id'); #header "Location: ./"); "Hello $ _SESSION [id] echo"!}  

< P> The easiest way to secure your password storage plan is to a standard library .

Why Security becomes more complex and most programmers can deal alone with more invisible screw-up possibilities, using a standard library is almost always the easiest and safest (if only available) options.

< P>

New PHP Password API (5.5.0 +)

If you are using PHP version 5.5 .0 or newer, you have the new Simplified Password hashing API Can use

PHP's password API Example using code:

  & lt ;? Php // $ hash will store in your database $ hash = password_hash ($ _ POST ['password'], PASSWORD_DEFAULT, ['cost' => 12];); $ $ Hash $ hash (above) will be stored in your database for this user $ checked = password_verify ($ _ POST ['password'], $ hash); If ($ check) {echo 'password correct'; } And {echo 'wrong credentials'; }  

(If you are still using legacy 5.3.7 or newer you can install build-in functions to access it)

< P>

Improve on salty hash: add black pepper

If you want extra protection, then safety people (2017) will be a '' (automatically) salted The password recommend to add hashes.

There is a simple drop in the class, which adheres to this method safely, I suggest: ().
It comes with MIT license, so you want to use it though, even in proprietary projects.

The code example Netlik / Pepper password :

   
 
  
 Old Standard Library  
 
  Please note:  you should not be It needs now! This is only for historical purposes.   
: Take a look at  phpass  and make sure that you use the  CRYPT_BLOWFISH  algorithm all possible. 
 
 Example of code using phpass (v0.2): 
 
   HashPassword ($ password); $ $ Hash $ hash (above) will be stored in your database for this user $ check = $ pwdHasher- & gt; Checkpassword ($ password, $ hash); If ($ check) {echo 'password correct'; } And {echo 'wrong credentials'; }  
 
 PHPass has been implemented in some well-known projects: 
 
 
 phpBB3 
 
 bbPress with WordPress 2.5+ as well 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
 
 
 
 The good thing is that you do not have to worry about the details, those details have been reviewed by people on the Internet and by many people. 
 
 For more information about password storage plans, read the 'Blog Post': 
 
 Anyway, if you ' I will do my own, thank you ' If you are done, you do this, do not use  Use  MD5  or  SHA1  now . They are good hashing algorithms, but they are considered  broken for security purposes . 
 
 Currently, using CRYPT_BLOWFISH is the best practice. CRYPT_BLOWFISH BCRPP hash in PHP. Bitcript is based on bluffish block cipher, which uses expensive key setup to slow down the algorithm.