jaykappy Posted July 30, 2013 Share Posted July 30, 2013 I was using MD5 to encrypt my password in testing. I am not trying to move to Hash and Salt...read a bit about it and it sort of makes sense...some of it goes right over my head. I am working from the example below...I have a password field and a salt field which get populated... Questions: 1. Is this a viable option..before I invest time to get it working I want to know if this is something that is going to be around for a while... 2. Seeing the example below...is there something else I can add to increase security? Wondering if this was just an overview of using a salt, thus not a very effective solution Thanks if(!empty($_POST['password'])) { $salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647)); $password = hash('sha256', $_POST['password'] . $salt); for($round = 0; $round < 65536; $round++) { $password = hash('sha256', $password . $salt); } } else { // If the user did not enter a new password we will not update their old one. $password = null; $salt = null; } // Initial query parameter values $query_params = array( ':email' => $_POST['email'], ':user_id' => $_SESSION['user']['id'], ); // If the user is changing their password, then we need parameter values // for the new password hash and salt too. if($password !== null) { $query_params[':password'] = $password; $query_params[':salt'] = $salt; } // Note how this is only first half of the necessary update query. We will dynamically // construct the rest of it depending on whether or not the user is changing // their password. $query = " UPDATE users SET email = :email "; // If the user is changing their password, then we extend the SQL query // to include the password and salt columns and parameter tokens too. if($password !== null) { $query .= " , password = :password , salt = :salt "; } // Finally we finish the update query by specifying that we only wish to update the one record with for the current user. $query .= " WHERE id = :user_id "; // Execute the query $stmt = $db->prepare($query); $result = $stmt->execute($query_params); Quote Link to comment https://forums.phpfreaks.com/topic/280650-password-hash/ Share on other sites More sharing options...
Strider64 Posted July 30, 2013 Share Posted July 30, 2013 // A nice password hashing library for PHP 5 // Find it here: https://github.com/ircmaxell/password_compat/blob/master/lib/password.php // Read the Documentation for further help: // NOTE: if you're not using PHP 5, there are plenty of // other good password hashing libraries out there ---> JUST GOOGLE IT! Why re-invent the wheel? There are plenty of good password hashing libraries out there and I'm sure there will be other recommendations made right here. Quote Link to comment https://forums.phpfreaks.com/topic/280650-password-hash/#findComment-1442727 Share on other sites More sharing options...
trq Posted July 30, 2013 Share Posted July 30, 2013 As Strider has mentioned, just use password_compat and be done with it. https://github.com/ircmaxell/password_compat Quote Link to comment https://forums.phpfreaks.com/topic/280650-password-hash/#findComment-1442731 Share on other sites More sharing options...
jaykappy Posted July 31, 2013 Author Share Posted July 31, 2013 First off thanks. 1. So if I was to use password_compat i could do away with the SALT that I was using...and just push the user defined password to: and be done with it... 2. But what if I give the user the ability to change their password...do I simply run it through this again? recreating a new password? $hash = password_hash($password, PASSWORD_BCRYPT); Quote Link to comment https://forums.phpfreaks.com/topic/280650-password-hash/#findComment-1442785 Share on other sites More sharing options...
jaykappy Posted July 31, 2013 Author Share Posted July 31, 2013 (edited) ...................................................... Edited July 31, 2013 by jaykappy Quote Link to comment https://forums.phpfreaks.com/topic/280650-password-hash/#findComment-1442819 Share on other sites More sharing options...
jaykappy Posted July 31, 2013 Author Share Posted July 31, 2013 (edited) I guess if all I have to do is copy that code into a php page and call it...I am curious how to do that... a. Making sure I am at proper PHP version... b. Copy the code from Strider into a PHP page??? 1. Call the Function to create a Hash...do i need to store the Salt in my table as well? 2. How to properly call the Function Verify to test a password...does it return true false? Edited July 31, 2013 by jaykappy Quote Link to comment https://forums.phpfreaks.com/topic/280650-password-hash/#findComment-1442821 Share on other sites More sharing options...
jaykappy Posted July 31, 2013 Author Share Posted July 31, 2013 I read this and it is starting to make sense..... https://wiki.php.net/rfc/password_hash Proper Version of PHP needed NO need to store SALT Seems the testing is quite easy. Last question...the post that Stryder posted with the code.....is that the PHP code that i need? Simply paste that into a php page and call it? THanks Quote Link to comment https://forums.phpfreaks.com/topic/280650-password-hash/#findComment-1442825 Share on other sites More sharing options...
trq Posted July 31, 2013 Share Posted July 31, 2013 It's all documented in the manual. http://au1.php.net/password password_compat simply provides a compatibility layer for users not yet using 5.5 (most people). Quote Link to comment https://forums.phpfreaks.com/topic/280650-password-hash/#findComment-1442868 Share on other sites More sharing options...
jaykappy Posted August 1, 2013 Author Share Posted August 1, 2013 (edited) Thanks....seems pretty simple...so I take it, since I am not on 5.5, I would have to install a php file...then modify the php.ini file? Not really sure what the deal is with that. Thoughts? Thanks again for your time and patience. I go to the website below and cant find the download for the file? There is a compatibility pack available for PHP versions 5.3.7 and later, so you don't have to wait on version 5.5 for using this function. It comes in form of a single php file:https://github.com/i...password_compat Edited August 1, 2013 by jaykappy Quote Link to comment https://forums.phpfreaks.com/topic/280650-password-hash/#findComment-1442951 Share on other sites More sharing options...
Solution trq Posted August 1, 2013 Solution Share Posted August 1, 2013 I take it, since I am not on 5.5, I would have to install a php file...then modify the php.ini file? Its a PHP library. Meaning it is written in PHP. You don't need to edit the php.ini. There is installation instructions on the very page you linked to. But yeah (assuming you have no idea what composer/packagist is), its just a single PHP file that needs to be included wherever you plan on using it. Quote Link to comment https://forums.phpfreaks.com/topic/280650-password-hash/#findComment-1442955 Share on other sites More sharing options...
jaykappy Posted August 1, 2013 Author Share Posted August 1, 2013 Got it all to work....sorry for the confusing emails...was a bit confused if you cant tell... But way easy...works great...now just have to do some testing of the COST option... Last question....what would be the reason to manually create the SALT? Is it still secure and ok to use the default on this? Thank you for your time and patience....very appreciated....Cheers Quote Link to comment https://forums.phpfreaks.com/topic/280650-password-hash/#findComment-1443012 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.