Destramic Posted February 7, 2015 Share Posted February 7, 2015 hey guys i want to pick you brains regarding user password records please. what im trying to achieve is when the user changes his/her password in 6 months time that its not the same as previous passwords. when a user registers i use password_hash() for the password and insert into users database table...now i want to keep a record of passwords in my password_records table. 1. do i save the password (not hashed) so i can compare in later in the future? or 2. save the hashed password in the password records and do a foreach loop of the password hashes using password_verify()? may seem transparent to go with the lata, but any advise or a better solution would be great. thank guys Quote Link to comment https://forums.phpfreaks.com/topic/294444-password-records-done-the-correct-way/ Share on other sites More sharing options...
NotionCommotion Posted February 7, 2015 Share Posted February 7, 2015 If you are going to save the passwords in the database, don't even bother hashing them in the first place. That being said, you don't want to not hash your passwords, thus do the second choice! Quote Link to comment https://forums.phpfreaks.com/topic/294444-password-records-done-the-correct-way/#findComment-1505152 Share on other sites More sharing options...
Ch0cu3r Posted February 7, 2015 Share Posted February 7, 2015 If you are going to allow the user to change their password then all you need to do is get the user to provide their current password and their new password. If hashing their current password matches the password hash stored in the database then you hash the new password they provided and update the password hash stored in the database. Quote Link to comment https://forums.phpfreaks.com/topic/294444-password-records-done-the-correct-way/#findComment-1505153 Share on other sites More sharing options...
NotionCommotion Posted February 7, 2015 Share Posted February 7, 2015 If you are going to allow the user to change their password then all you need to do is get the user to provide their current password and their new password. If hashing their current password matches the password hash stored in the database then you hash the new password they provided and update the password hash stored in the database. I've seen applications which prevent me from using the same password if used for the past 10 passwords. Don't know if this really improves security as it forces one to put sticky notes all over their monitor, and it gets hard to even see the monitor thru all of them. But if this functionality was desired, you would need to store the previous hashed passwords. Quote Link to comment https://forums.phpfreaks.com/topic/294444-password-records-done-the-correct-way/#findComment-1505154 Share on other sites More sharing options...
kicken Posted February 7, 2015 Share Posted February 7, 2015 If you want to prevent them from re-using upto x passwords, then what you'd want to do is save the prior hash values and compare the new value with them. Storing the unhashed password would mean that anyone who gained access to the database would be able to see all the user's current (and prior) passwords in plain text. Since people often re-use their password leaking a user's password not only gives the attacker the password for your site, but potentially many over sites the user also uses. I personally wouldn't worry about anything beyond checking their new password isn't the same as the current password (if even that). If they want to re-use some password let them. There's nothing I hate more than a site telling me my chosen password is no good, regardless of the reason why they think it's no good. 1 Quote Link to comment https://forums.phpfreaks.com/topic/294444-password-records-done-the-correct-way/#findComment-1505158 Share on other sites More sharing options...
NotionCommotion Posted February 7, 2015 Share Posted February 7, 2015 There's nothing I hate more than a site telling me my chosen password is no good, regardless of the reason why they think it's no good. I totally agree. For most applications, the user should assess the risk, and chose a password of applicable strength. Quote Link to comment https://forums.phpfreaks.com/topic/294444-password-records-done-the-correct-way/#findComment-1505159 Share on other sites More sharing options...
Destramic Posted February 9, 2015 Author Share Posted February 9, 2015 i'm not a great fan of passwords being changed on demand either but thought it may help security...but thank you for you views and help guys...gonna go with looping it and checking it through a loop cheers Quote Link to comment https://forums.phpfreaks.com/topic/294444-password-records-done-the-correct-way/#findComment-1505263 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.