Password Hash

[jaykappy]

I was using MD5 to encrypt my password in testing.  I am not trying to move to Hash and Salt...read a bit about it and it sort of makes sense...some of it goes right over my head.

 

I am working from the example below...I have a password field and a salt field which get populated...

 

Questions:  

1. Is this a viable option..before I invest time to get it working I want to know if this is something that is going to be around for a while...

2. Seeing the example below...is there something else I can add to increase security?  Wondering if this was just an overview of using a salt, thus not a very effective solution

 

Thanks

        if(!empty($_POST['password'])) 
        { 
            $salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647)); 
            $password = hash('sha256', $_POST['password'] . $salt); 
            for($round = 0; $round < 65536; $round++) 
            { 
                $password = hash('sha256', $password . $salt); 
            } 
        } 
        else 
        { 
            // If the user did not enter a new password we will not update their old one. 
            $password = null; 
            $salt = null; 
        } 
         
        // Initial query parameter values 
        $query_params = array( 
            ':email' => $_POST['email'], 
            ':user_id' => $_SESSION['user']['id'], 
        ); 
         
        // If the user is changing their password, then we need parameter values 
        // for the new password hash and salt too. 
        if($password !== null) 
        { 
            $query_params[':password'] = $password; 
            $query_params[':salt'] = $salt; 
        } 
         
        // Note how this is only first half of the necessary update query.  We will dynamically 
        // construct the rest of it depending on whether or not the user is changing 
        // their password. 
        $query = " 
            UPDATE users 
            SET 
                email = :email 
        "; 
         
        // If the user is changing their password, then we extend the SQL query 
        // to include the password and salt columns and parameter tokens too. 
        if($password !== null) 
        { 
            $query .= " 
                , password = :password 
                , salt = :salt 
            "; 
        } 
         
        // Finally we finish the update query by specifying that we only wish to update the one record with for the current user. 
        $query .= " 
            WHERE 
                id = :user_id 
        "; 
         
            // Execute the query 
            $stmt = $db->prepare($query); 
            $result = $stmt->execute($query_params); 

[Strider64]

// A nice password hashing library for PHP 5
// Find it here: https://github.com/ircmaxell/password_compat/blob/master/lib/password.php
// Read the Documentation for further help:
// NOTE: if you're not using PHP 5, there are plenty of 
// other good password hashing libraries out there ---> JUST GOOGLE IT!

Why re-invent the wheel? There are plenty of good password hashing libraries out there and I'm sure there will be other recommendations made right here.

[trq]

As Strider has mentioned, just use password_compat and be done with it.

 

https://github.com/ircmaxell/password_compat

[jaykappy]

First off thanks.  

1. So if I was to use password_compat i could do away with the SALT that I was using...and just push the user defined password to: and be done with it...

2. But what if I give the user the ability to change their password...do I simply run it through this again? recreating a new password?

 

 $hash = password_hash($password, PASSWORD_BCRYPT);

[jaykappy]

......................................................

Edited July 31, 2013 by jaykappy

[jaykappy]

I guess if all I have to do is copy that code into a php page and call it...I am curious how to do that...

 

a. Making sure I am at proper PHP version...

b. Copy the code from Strider into a PHP page???

 

1. Call the Function to create a Hash...do i need to store the Salt in my table as well?

 

2. How to properly call the Function Verify to test a password...does it return true false?

Edited July 31, 2013 by jaykappy

[jaykappy]

I read this and it is starting to make sense.....

 

https://wiki.php.net/rfc/password_hash

 

Proper Version of PHP needed

NO need to store SALT 

Seems the testing is quite easy.

 

Last question...the post that Stryder posted with the code.....is that the PHP code that i need?  Simply paste that into a php page and call it?

 

THanks

[trq]

It's all documented in the manual.

 

http://au1.php.net/password

 

password_compat simply provides a compatibility layer for users not yet using 5.5 (most people).

[jaykappy]

Thanks....seems pretty simple...so I take it, since I am not on 5.5, I would have to install a php file...then modify the php.ini file?

Not really sure what the deal is with that.

Thoughts?

Thanks again for your time and patience.  I go to the website below and cant find the download for the file?

 

There is a compatibility pack available for PHP versions 5.3.7 and later, so you don't have to wait on version 5.5 for using this function. It comes in form of a single php file:
https://github.com/i...password_compat

Edited August 1, 2013 by jaykappy

[trq]

I take it, since I am not on 5.5, I would have to install a php file...then modify the php.ini file?

Its a PHP library. Meaning it is written in PHP. You don't need to edit the php.ini.

 

There is installation instructions on the very page you linked to. But yeah (assuming you have no idea what composer/packagist is), its just a single PHP file that needs to be included wherever you plan on using it.

[jaykappy]

Got it all to work....sorry for the confusing emails...was a bit confused if you cant tell...

But way easy...works great...now just have to do some testing of the COST option...

 

Last question....what would be the reason to manually create the SALT?  Is it still secure and ok to use the default on this?

 

Thank you for your time and patience....very appreciated....Cheers