Jump to content

Recommended Posts

hey guys i want to pick you brains regarding user password records please.

 

what im trying to achieve is when the user changes his/her password in 6 months time that its not the same as previous passwords.

 

when a user registers i use password_hash() for the password and insert into users database table...now i want to keep a record of passwords in my password_records table.

 

1. do i save the password (not hashed) so i can compare in later in the future?

or

2. save the hashed password in the password records and do a foreach loop of the password hashes using password_verify()?

 

may seem transparent to go with the lata, but any advise or a better solution would be great.

 

thank guys

 

 

Link to comment
https://forums.phpfreaks.com/topic/294444-password-records-done-the-correct-way/
Share on other sites

If you are going to allow the user to change their password then all you need to do is get the user to provide their current password and their new password. If hashing their current password matches the password hash stored in the database then you hash the new password they provided and update the password hash stored in the database.

If you are going to allow the user to change their password then all you need to do is get the user to provide their current password and their new password. If hashing their current password matches the password hash stored in the database then you hash the new password they provided and update the password hash stored in the database.

 

I've seen applications which prevent me from using the same password if used for the past 10 passwords.  Don't know if this really improves security as it forces one to put sticky notes all over their monitor, and it gets hard to even see the monitor thru all of them.  But if this functionality was desired, you would need to store the previous hashed passwords.

If you want to prevent them from re-using upto x passwords, then what you'd want to do is save the prior hash values and compare the new value with them. Storing the unhashed password would mean that anyone who gained access to the database would be able to see all the user's current (and prior) passwords in plain text. Since people often re-use their password leaking a user's password not only gives the attacker the password for your site, but potentially many over sites the user also uses.

 

I personally wouldn't worry about anything beyond checking their new password isn't the same as the current password (if even that). If they want to re-use some password let them. There's nothing I hate more than a site telling me my chosen password is no good, regardless of the reason why they think it's no good.

  • Like 1

There's nothing I hate more than a site telling me my chosen password is no good, regardless of the reason why they think it's no good.

 

I totally agree.  For most applications, the user should assess the risk, and chose a  password of applicable strength.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.