How to use Salts and hashs with PHP?

Asked

Viewed 350 times

8

Following people, I have to make a system of registration and login of users, but wanted to increase the security of this system using Salts in passwords, someone could show me a simple example about this?

  • Please read the answers to this question: http://answall.com/questions/3571/qual-o-melhor-jeito-de-fazer-um-sistema-de-login-em-senha-com-php/4479#4479

  • take a look here ..: http://br.phptherightway.com/. He talks about some frames for that.

1 answer

5

Past tense

I recommend that you use the solution Wordpress and the Drupal use. I think if they use, then it should be safe enough. You don’t think?

It’s called Portable PHP password hashing framework.

The hash that this solution generates already contains the salt embedded - you don’t have to worry about it, but get the benefit. That is, you will be effectively using Salts and hashs, increasing security, and in an extremely simple way - simpler than I think you wanted to see in an answer. If you want to understand more about the backstage of the thing, then feel free to research further. I’ll just show you how Wordpress and Drupal do.

To generate the hash:

require( 'PasswordHash.php' );
$hasher = new PasswordHash();
$passHash = $hasher->HashPassword( 'senha' );

Ready! In the variable $passHash you now have the password "sautéed" and "hashed", ready to go to the database.

Here’s what’s interesting: every time you call the function HashPassword to the same password, she will return you a different hash. This is even because the salt is stored together with the hash in string that is returned.

Therefore, you have no way to check later if the user is informing the right password doing something like this, as usually would with a hash weak as the MD5:

if ( $hasher->HashPassword( 'senha' ) == $passHash_obtido_do_BD )

Why doesn’t it work? It doesn’t work because, as has been said, each time the hash generated is different!

But the solution to check if the password is correct is equally simple and easy:

require( 'PasswordHash.php' );
$hasher = new PasswordHash();
if ( $hasher->CheckPassword( 'senha', $passHash_obtido_do_BD ) )

So what? Why make it more complicated if you can offer a solution as good as the one that Wordpress uses, in your projects and for your customers?

Check out the function yourself wp_check_password Wordpress, not to mention I’m inventing:


Present

IMPORTANT CONSIDERATION: an authentication and authorization system, thinking from the interface, access to database, login and logout, cookies, vulnerabilities, et cetera, involve more a lot of questions not addressed here. You fortunately asked a very objective question about only one specific point: how to "season" the password with Salts and hash the same? After all, we don’t want to store it in Plain text in the database; we want to effectively make it so difficult for the passwords to be "broken" and discovered; we want to make it so difficult for us to know the passwords ourselves. The above solution focuses on this, and only this, bringing a practical tool, which you can already use, get the benefits, and in the simplest way possible. Then you can proceed satisfied to the next puzzle item.


Future

All my bla-bla-bla above will soon become a thing of the past, since from PHP version 5.5 we will have the same functionality already built in.

The function password_hash is equivalent to HashPassword, and the function password_verify is equivalent to CheckPassword, exactly as explained above. Check out the documentation: http://php.net/manual/en/ref.password.php

Here are the updated examples for the future:

// Obtendo o hash:
$passHash = password_hash( 'senha' );

// Verificando a senha:
if ( password_verify( 'senha', $passHash_obtido_do_BD ) )

Browser other questions tagged

You are not signed in. Login or sign up in order to post.