Jump to content

Password Hash


Go to solution Solved by trq,

Recommended Posts

I was using MD5 to encrypt my password in testing.  I am not trying to move to Hash and Salt...read a bit about it and it sort of makes sense...some of it goes right over my head.

 

I am working from the example below...I have a password field and a salt field which get populated...

 

Questions:  

1. Is this a viable option..before I invest time to get it working I want to know if this is something that is going to be around for a while...

2. Seeing the example below...is there something else I can add to increase security?  Wondering if this was just an overview of using a salt, thus not a very effective solution

 

Thanks

        if(!empty($_POST['password'])) 
        { 
            $salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647)); 
            $password = hash('sha256', $_POST['password'] . $salt); 
            for($round = 0; $round < 65536; $round++) 
            { 
                $password = hash('sha256', $password . $salt); 
            } 
        } 
        else 
        { 
            // If the user did not enter a new password we will not update their old one. 
            $password = null; 
            $salt = null; 
        } 
         
        // Initial query parameter values 
        $query_params = array( 
            ':email' => $_POST['email'], 
            ':user_id' => $_SESSION['user']['id'], 
        ); 
         
        // If the user is changing their password, then we need parameter values 
        // for the new password hash and salt too. 
        if($password !== null) 
        { 
            $query_params[':password'] = $password; 
            $query_params[':salt'] = $salt; 
        } 
         
        // Note how this is only first half of the necessary update query.  We will dynamically 
        // construct the rest of it depending on whether or not the user is changing 
        // their password. 
        $query = " 
            UPDATE users 
            SET 
                email = :email 
        "; 
         
        // If the user is changing their password, then we extend the SQL query 
        // to include the password and salt columns and parameter tokens too. 
        if($password !== null) 
        { 
            $query .= " 
                , password = :password 
                , salt = :salt 
            "; 
        } 
         
        // Finally we finish the update query by specifying that we only wish to update the one record with for the current user. 
        $query .= " 
            WHERE 
                id = :user_id 
        "; 
         
            // Execute the query 
            $stmt = $db->prepare($query); 
            $result = $stmt->execute($query_params); 
Link to comment
https://forums.phpfreaks.com/topic/280650-password-hash/
Share on other sites

// A nice password hashing library for PHP 5
// Find it here: https://github.com/ircmaxell/password_compat/blob/master/lib/password.php
// Read the Documentation for further help:
// NOTE: if you're not using PHP 5, there are plenty of 
// other good password hashing libraries out there ---> JUST GOOGLE IT!

Why re-invent the wheel? There are plenty of good password hashing libraries out there and I'm sure there will be other recommendations made right here. ;D

Link to comment
https://forums.phpfreaks.com/topic/280650-password-hash/#findComment-1442727
Share on other sites

First off thanks.  

1. So if I was to use password_compat i could do away with the SALT that I was using...and just push the user defined password to: and be done with it...

2. But what if I give the user the ability to change their password...do I simply run it through this again? recreating a new password?

 

 $hash = password_hash($password, PASSWORD_BCRYPT);

Link to comment
https://forums.phpfreaks.com/topic/280650-password-hash/#findComment-1442785
Share on other sites

I guess if all I have to do is copy that code into a php page and call it...I am curious how to do that...

 

a. Making sure I am at proper PHP version...

b. Copy the code from Strider into a PHP page???

 

1. Call the Function to create a Hash...do i need to store the Salt in my table as well?

 

2. How to properly call the Function Verify to test a password...does it return true false?

Edited by jaykappy
Link to comment
https://forums.phpfreaks.com/topic/280650-password-hash/#findComment-1442821
Share on other sites

I read this and it is starting to make sense.....

 

https://wiki.php.net/rfc/password_hash

 

Proper Version of PHP needed

NO need to store SALT 

Seems the testing is quite easy.

 

Last question...the post that Stryder posted with the code.....is that the PHP code that i need?  Simply paste that into a php page and call it?

 

THanks

Link to comment
https://forums.phpfreaks.com/topic/280650-password-hash/#findComment-1442825
Share on other sites

Thanks....seems pretty simple...so I take it, since I am not on 5.5, I would have to install a php file...then modify the php.ini file?

Not really sure what the deal is with that.

Thoughts?

Thanks again for your time and patience.  I go to the website below and cant find the download for the file?

 

There is a compatibility pack available for PHP versions 5.3.7 and later, so you don't have to wait on version 5.5 for using this function. It comes in form of a single php file:
https://github.com/i...password_compat

Edited by jaykappy
Link to comment
https://forums.phpfreaks.com/topic/280650-password-hash/#findComment-1442951
Share on other sites

  • Solution

I take it, since I am not on 5.5, I would have to install a php file...then modify the php.ini file?

Its a PHP library. Meaning it is written in PHP. You don't need to edit the php.ini.

 

There is installation instructions on the very page you linked to. But yeah (assuming you have no idea what composer/packagist is), its just a single PHP file that needs to be included wherever you plan on using it.

Link to comment
https://forums.phpfreaks.com/topic/280650-password-hash/#findComment-1442955
Share on other sites

Got it all to work....sorry for the confusing emails...was a bit confused if you cant tell...

But way easy...works great...now just have to do some testing of the COST option...

 

Last question....what would be the reason to manually create the SALT?  Is it still secure and ok to use the default on this?

 

Thank you for your time and patience....very appreciated....Cheers

Link to comment
https://forums.phpfreaks.com/topic/280650-password-hash/#findComment-1443012
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.