RalphLeMouf Posted August 1, 2012 Share Posted August 1, 2012 Hello - I am currently creating a user and storing their info in the database. There seems to be a number of ways to hash passwords using sha1 and md5 and the encryption_class , however I am looking for the best way to do this combining sha1 and salting it with my random string I have set in my encryption key. Obviously I am going to want to be able to log the user back in with the encryption in tact and overall am looking for the most secure way to do all of this.Any suggestion or link to a tutorial or example would be greatly appreciated. Thanks in advance. MODEL: <?php class User_model extends CI_Model { function __construct() { parent::__construct(); } function create_member() { $this->load->library('encrypt'); $new_member_insert_data = array( 'first_name' => $this->input->post('first_name'), 'last_name' => $this->input->post('last_name'), 'email' => $this->input->post('email'), 'password' => $this->input->post('password') ); $insert = $this->db->insert('users', $new_member_insert_data); return $insert; } } VIEW: <div class="home_left clearfix"> <div class="sign_up"> <div class="sign_up_title"> Join Today! </div> <?php echo validation_errors(); echo form_open('auth/create_member'); echo "<div class='form_text_signup'>"; echo "First Name"; echo "</div>"; echo form_input('first_name', set_value('first_name')); echo "<div class='form_text_signup'>"; echo "Last Name"; echo "</div>"; echo form_input('last_name', set_value('last_name')); echo "<div class='form_text_signup'>"; echo "Email"; echo "</div>"; echo form_input('email', set_value('email')); echo "<div class='form_text_signup'>"; echo "Password"; echo "</div>"; echo form_label('', 'password', array('type'=>'password')); $data = array( 'name' => 'password', 'class' => 'input', 'size' => 30 ); echo form_password($data, set_value('sha1(password)')); echo "<div class='form_text_signup'>"; echo "Confirm Password"; echo "</div>"; echo form_label('', 'password2', array('type'=>'password')); $data = array( 'name' => 'password2', 'class' => 'input', 'size' => 30 ); echo form_password($data, set_value('sha1(password2)')); echo form_submit('submit', 'Submit'); echo validation_errors('<p class="error">'); echo form_close(); ?> </div> </div> <div class="home_right clearfix"> <div class="home_image_bg"> </div> <div class="resources"> <div class="node_title_resources"> <a href=""> Resources </a> </div> </div> <div class="grant"> <div class="node_title_grant"> <a href=""> Grant </a> </div> </div> <div class="living"> <div class="node_title_le"> <a href=""> Living Xtreme </a> </div> </div> <div class="browse clearfix"> </div> </div> </div> CONTROLLER: <?php class Auth extends CI_Controller { function __construct() { parent::__construct(); } function create_member() { $this->load->library('form_validation'); $this->form_validation->set_rules('first_name', 'First Name', 'trim|required'); $this->form_validation->set_rules('last_name', 'Last Name', 'trim|required'); $this->form_validation->set_rules('email', 'Email', 'trim|required|valid_email'); $this->form_validation->set_rules(sha1('password', 'trim|required|max_length[32]')); $this->form_validation->set_rules('password2', 'Confirm Password', 'trim|required|matches[password]'); if($this->form_validation->run() == FALSE) { $data['main_content'] = 'home/home_page'; $this->load->view('includes/templates/home_page_template', $data); } else { $this->load->model('user_model'); if($query = $this->user_model->create_member()) { $data['main_content'] = 'account/welcome'; $this->load->view('includes/templates/main_page_template', $data); } else { $this->load->view('home/home_page'); } } } } Quote Link to comment https://forums.phpfreaks.com/topic/266558-looking-for-the-best-way-to-hash-my-passwords-upon-creating-a-user/ Share on other sites More sharing options...
Christian F. Posted August 1, 2012 Share Posted August 1, 2012 There are a couple of steps that you want to do: [*]Create a user-specific random hash value. [*]Add this to the password. [*]Hash the password using a strong hashing algorithm (sha256 or better). [*]Store both the hashed password and the salt in the DB. Do this every time a user changes the password, and never ever save (or send) the unencrypted password anywhere. Possible exception to this, is if the user generates a random password. Then have it invalidated the first time the user logs on with it, but generally you'll want to avoid this if possible. Some people advocate running step 3 multiple times, adding the salt to the hash for each time. Whether or not this is actually adding anything is a point where the experts are divided on, so I can't say either way. I'd also advocate using a second hash value, which is stored in your applications configuration file. A site-specific hash value, if you want. That way even if your DB is leaked, the attackers won't have the full hash without gaining read-access to all of your PHP code. (In which case you're fscked anyway.) Quote Link to comment https://forums.phpfreaks.com/topic/266558-looking-for-the-best-way-to-hash-my-passwords-upon-creating-a-user/#findComment-1366050 Share on other sites More sharing options...
Mahngiel Posted August 1, 2012 Share Posted August 1, 2012 CodeIgniter has a core encryption library already. The way I do it is to generate a random string (salt) and use that with the core lib. <?php function _salt( $length = 32 ) { // Load the string helper $this->load->helper('string'); // Return the random string return random_string('alnum', $length); } $satl = $this->_salt(); $this->encrypt->sha1($salt . $this->encrypt->sha1($this->input->post('password'))) Quote Link to comment https://forums.phpfreaks.com/topic/266558-looking-for-the-best-way-to-hash-my-passwords-upon-creating-a-user/#findComment-1366070 Share on other sites More sharing options...
Christian F. Posted August 1, 2012 Share Posted August 1, 2012 Just found this article, which is highly relevant: http://www.openwall.com/articles/PHP-Users-Passwords Quote Link to comment https://forums.phpfreaks.com/topic/266558-looking-for-the-best-way-to-hash-my-passwords-upon-creating-a-user/#findComment-1366073 Share on other sites More sharing options...
RalphLeMouf Posted August 1, 2012 Author Share Posted August 1, 2012 @Mahngiel, I've implemented your method as a start and have it working. However I'm getting an undefined variable variable with $length . They also raises the question of where is that being used after creation? Quote Link to comment https://forums.phpfreaks.com/topic/266558-looking-for-the-best-way-to-hash-my-passwords-upon-creating-a-user/#findComment-1366084 Share on other sites More sharing options...
Mahngiel Posted August 1, 2012 Share Posted August 1, 2012 i neglected to create a default param in the the salt function above. check the updated post. function _salt( $length = 32 ) Having a default in there enables you to use the function later by passing a different value to it: $this->_salt( would return a 8 character string versus the default 32 Quote Link to comment https://forums.phpfreaks.com/topic/266558-looking-for-the-best-way-to-hash-my-passwords-upon-creating-a-user/#findComment-1366085 Share on other sites More sharing options...
RalphLeMouf Posted August 1, 2012 Author Share Posted August 1, 2012 that works beautifully! thanks! Quote Link to comment https://forums.phpfreaks.com/topic/266558-looking-for-the-best-way-to-hash-my-passwords-upon-creating-a-user/#findComment-1366131 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.