Safely store passwords in a database

Asset 10

How to protect passwords with PHP

Posted on 12 October 2018 by Beaming Support

This is an advanced guide for people who wish to understand how to protect passwords with PHP in a database and the correct methods to do so. This is in no means a coding tutorial, but the theoretical knowledge you should understand before you pursue developing the application.

Hashing

Obviously we could store passwords in plain-text but this is a big ‘no no’. Should an attacker get into your database, s/he will be able to see all users’ passwords giving them access to their accounts. Not only this, people tend to use the same password on many accounts, so the attacker could use this same password to try and gain access to users’ emails, social media or anything else.

Another possible method, known commonly as Two-way Encryption, has two sub sections: symmetric & asymmetric. It is a brilliant method in secret communications, but doesn’t quite suit our needs to fully protect a password. Two-way encryption requires a key, that encrypts (locks) and decrypts (unlocks) the password, so should the attacker get hold of the database they could attempt to crack the key, meaning all passwords could be converted to clear text.

We want to be able to store passwords in your databases in a way that is encrypted but nearly non-reversible, which requires encrypting the data in one direction. This is a method known as Hashing.

To truly protect our passwords, we need to encrypt them with a one-way algorithm such as MD5 or SHA which has no associated key and thus cannot be reversed into clear text (well, not without extreme difficulty).

MD5

MD5 is the first hashing method to be properly developed and used in production back in 1992. This is a simple method that hashes the password with 64 different iterations, with a mixture of XOR, AND, OR, NOT, ROTATE and 32-bit swaps. The preceding may sound advanced, but it doesn’t offer much in the modern world of computing because in 2004 the first recorded crack of this algorithm was made. The hashing algorithm isn’t quite robust enough; MD5 doesn’t use enough modern methods such as “mix-mince-shred-and-liquidise”. Not using this means that there is a high chance that two files under the MD5 hash could end up having the same output (not good!).

SHA-1

SHA-1 (successor of SHA-0) is another hash that was published in 1995 as a development upon MD5 and uses more robust methods to hash the password.

SHA-256

SHA-256 (a family member of SHA-2, the successor or SHA-1) is what we’d recommend when securing any passwords in a database.

PHP implementation of hashing

With that covered, this article is about how to protect passwords with PHP, so now we come to that. We’re going to use PHP as an example of how to hash data in your database. It has a brilliant function which has been around since version 5.5 which will perform a hash function for you. Let’s start out with our password: Oranges&Cups1901! We want to store this in our database, but in a format which is not readable by humans, and can’t be reversed by computers.

 $hashedPassword = password_hash(“Oranges&Cups1901!”,PASSWORD_DEFAULT);
echo $hashedPassword;

This will output something similar to $2y$10$6qISTK4rK5JFH7CP2ftZqugh2DR281lCR7gL0FdVu0cJZiWsGFGtm which is great, as we have no way of reversing this to its clear format. So, how does this work, since a password entered by a user would be in clear text? This is where PHP’s password_verify function comes in, it takes two parameters, the plain password and the hash in the database, it will ensure that the password entered is equal to the one entered in the database.

 $matched = password_verify($userEnteredPassword, $hash);
if($matched === true){
    //Password correct, log that user in!
}

This is a very rudimentary method of storing and comparing passwords and you should be able to do this more efficiently and securely, but this example shows hashing in action.

Found this useful?

Our tech team share their how-tos, trouble shooting guides and tips for getting the best from your business connectivity in a monthly email round up.

  • This field is for validation purposes and should be left unchanged.

Related

Improving your business’s cyber security

  • This field is for validation purposes and should be left unchanged.