Next, I have to make a user registration and login system, but I wanted to increase the security of this system using salts in passwords, could someone show me a simple example of this?
Next, I have to make a user registration and login system, but I wanted to increase the security of this system using salts in passwords, could someone show me a simple example of this?
I recommend that you use the Wordpress and Drupal use. I think if they use then it should be safe enough. Do not you think?
It's called Portable PHP password hashing framework .
The hash that this solution generates already contains the salt embedded - you do not have to worry about it, but you get the benefit. That is, you will effectively be using salts and hashs , increasing security, and in an extremely simple way - simpler than I think you wanted to see in an answer. If you want to understand more about the behind the scenes, then feel free to search more. I'll just show you how Wordpress and Drupal do.
To generate hash :
require( 'PasswordHash.php' );
$hasher = new PasswordHash();
$passHash = $hasher->HashPassword( 'senha' );
Ready! In the variable $passHash
you now have the password "skipped" and "hasheada", ready to go to the database.
See how interesting: every time you call the HashPassword
function for the same password , it will return you a different hash . This happens even because salt is stored next to the hash in the string that is returned.
So you can not check if the user is telling you the right password by doing something like you would usually do with a weak hash such as MD5 : p>
if ( $hasher->HashPassword( 'senha' ) == $passHash_obtido_do_BD )
Why does not this work? It does not work because, as has been said, each time the hash is different!
But the solution to verify that the password entered is correct is equally simple and easy:
require( 'PasswordHash.php' );
$hasher = new PasswordHash();
if ( $hasher->CheckPassword( 'senha', $passHash_obtido_do_BD ) )
And then? So what's more complicated if you can offer a solution as good as Wordpress uses in your projects and for your customers?
Check out the Wordpress wp_check_password function, not to mention I'm making it up:
IMPORTANT CONSIDERATION: An authentication and authorization system, thinking from the interface, database access, login and logout, cookies, vulnerabilities, et cetera , involve more a lot of issues not covered here. You have, fortunately, asked a very objective question about just one specific point: how to "temper" the password with salts and hashear the same? After all, we do not want to store it in plain text in the database; we effectively want to make it so difficult for passwords to be "broken" and discovered; we want to make it so difficult that even we do not know how to know the passwords. The above solution focuses on this, and only that, bringing a practical tool that you can use already, get the benefits, and in the simplest way possible. Then you can proceed satisfied to the next item in the puzzle.
All my bla-blah-blah up will soon become a thing of the past, since from PHP version 5.5 we will have the same functionality already built in.
The password_hash
function equals HashPassword
, and the < password_verify
% is equal to CheckPassword
, exactly as explained above. Check out the documentation: link
Here are the updated examples for the future:
// Obtendo o hash:
$passHash = password_hash( 'senha' );
// Verificando a senha:
if ( password_verify( 'senha', $passHash_obtido_do_BD ) )