Jump to content

Best way to properly/efficiently hash passwords


galvin

Recommended Posts

I'll start by apologizing for the stupid decision that led to this question.  A few years ago, I created a PHP/Myysql site with a login system and I created a field in the MySQL called "password" and it stored literally the exact password people entered (I know, I know).

 

The site has proven to have nice traffic potential, so I am going to re-vamp everything, including storing passwords properly (i.e. hashed).

 

My first question... Is there a way to convert regular text passwords to hashed passwords?  For example, I could create a new field in the "User" table for "hashedpassword" and write a script that takes all the insecure passwords and turns them into hashed passwords.  Then deleted the previous "bad" password field from the database.  This would allow me to do it without the customer every knowing anything changed. 

 

Quick googling appears to support that it IS doable rather easily, with something like...

UPDATE mytable
SET password = MD5(password)

If not, I guess I would have to create a thing where the first time omeone logged in after I put hashing in place, the site would force them to change their password. I'd rather not annoy the visitors if it all possible.

 

Second question, what is the proper/recommended hashing method to use?   Some people seem to poo-poo MD5.  If you agree, should I use:

 

MD5

SHA

MD5 with a salt

SHA with a salt

Something else i never heard of

 

NOTE:  My site is a fantasy sports site, so the data involved is not overly important.  Maybe a salt is overkill?  Or is being overly safe never a bad thing?

 

Lastly, don't need to address this, but if anyone can explain it like I'm 5 that would be great because i must be missing something... if you can easily turn a regular password into a hashed password, couldn't hackers easily do the reverse, which would render the hashing almost useless?  I get that salting helps, but before salting (i.e. doing ONLY MD5), I don't see how hashing helped that much (if you could reverese figure out the password).  What am I missing?

 

Thanks!

Greg

Edited by galvin
Link to comment
Share on other sites

 

 

My first question... Is there a way to convert regular text passwords to hashed passwords? 

Yes using an the update query like you showed if you're converting plain text passwords to md5 or sha1 (which you should not be doing).

 

You will need to do something like this if you're going to use password_hash

// connect to db
$mysqli = new mysqli('localhost', 'username', 'password', 'database');

// get the user id and password from users table
$result = $mysqli->query('SELECT id, password FROM users');

// prepared statement for updating the password
$stmt = $mysqli->prepare('UPDATE user SET password = ? WHERE id = ?');

// bind the values to the statement
$stmt->bind_params('is', $id, $password);

// loop through the user id and passwords in the resultset
while(list($id, $password) = $result->fetch_row())
{
     // convert the existing plain text password to a hash using password_hash()
     $password = password_hash($password, PASSWORD_BCRYPT);

     // update the password in the database
     $stmt->execute();
}

 

 

Lastly, don't need to address this, but if anyone can explain it like I'm 5 that would be great because i must be missing something... if you can easily turn a regular password into a hashed password, couldn't hackers easily do the reverse, which would render the hashing almost useless?  I get that salting helps, but before salting (i.e. doing ONLY MD5), I don't see how hashing helped that much (if you could reverese figure out the password).  What am I missing?

md5 or sha1 or any other encryption algorithm can not be decrypted easily. All an hacker is doing is generating millions of md5/sha1 hashes (a secound) and seeing if the generated hash matches any of your password hashes in your database. Once a match occurs the hacker looks back and sees what sequence of characters where used to generated that hash. This is how a hacker then gets to know your password. 

 

The idea of adding salt to a password is to make it stronger and make it a lot  harder for a hacker to find a matching hash. However this is still not enough as eventually a match will still be found no matter what salt you use.

 

The purpose of password_hash is to add latency each time a hash is generated slowing the hacker down for every generated hash. Check out ircmaxwells post for more information as he'll explain it better than me  :tease-03:

Edited by Ch0cu3r
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.