You do not store passwords in the database, instead you store the hashes, and use this as a comparison when you have to log in.
MD5
and SHA1
are single hand , you can not break, but there are ready-made tables that have an infinity of MD5
and their meanings, as well as SHA1
I'd say SHA1
is a bit safer because it's a little slower.
To make it difficult for a weak password to be exposed if your database is leaked, use some salt.
[salt]+[hash-da-senha]
Salt : Randomly generated string that is used to generate the result of the hash of your password, usually stored in the database next to the generated hash.
Implementation example
// Entrada do usuário
$input = 'minhasenha123';
// Gera o hash da senha do usuário
$hash = password_hash($input, PASSWORD_BCRYPT);
// Hash gerado (cada vez será único)
echo $hash;
// Deve ser armazenado no banco e usado para comparação.
Let's assume that the above code produced the following result:
$2y$10$OOCtogTSo0egjw1ZUHXndei8h/sZGNQh.iKBn9L2T4VbYvSGFEnP.
Each time we run it is unique, but we have saved the hash in the database, and now we will use it to compare the login.
// Entrada do usuário no login
$input = 'minhasenha123';
/**
* Código para pegar a hash do banco correspondente
* ao usuário que tentou fazer login
*
* Aqui para exemplo, vamos usar a string, mas em sua aplicação
* deve-se comparar qual usuário solicitou, se ele existe,
* trazer a hash da senha usuário para uma variável, e compara-la
* com o input do login
*/
$hash = '$2y$10$OOCtogTSo0egjw1ZUHXndei8h/sZGNQh.iKBn9L2T4VbYvSGFEnP.';
// Faz a verificação
if (password_verify($input, $hash))
{
echo 'Usuário logado';
}
else
{
echo 'Senha inválida';
}
I also recommend that you use the slowest and most robust PASSWORD_BCRYPT
(yes, slower, it is essential to deliberately slow down performance when it comes to encryption, so your system is less vulnerable to brute-force attacks.)
Note : The password_hash
function is available in versions 5.5 or higher of PHP.
This is the simplest implementation and has a lot of security.