InfinityQuest - Programming Code Tutorials and Examples with Python, C++, Java, PHP, C#, JavaScript, Swift and more

Menu
  • Home
  • Sitemap

Python Programming Language Best Tutorials and Code Examples

Learn Python Right Now!
Home
PHP
Storing Passwords in PHP
PHP

Storing Passwords in PHP

InfinityCoder December 20, 2016

You need to keep track of users’ passwords, so they can log in to your website.

When a user signs up or registers, hash the chosen password with bcrypt and store the hashed password in your database of users.
With PHP 5.5 and later, use the built-in password_hash() function:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
/* Initialize an array for filtered data. */
$clean = array();
 
/* Hash the password. */
$hashed_password = password_hash($_POST['password'], PASSWORD_DEFAULT);
 
/* Allow alphanumeric usernames. */
if (ctype_alnum($_POST['username'])) {
    $clean['username'] = $_POST['username'];
} else {
    /* Error */
}
 
/* Store user in the database. */
$st = $db->prepare('INSERT
             INTO   users (username, password)
             VALUES (?, ?)');
$st->execute(array($clean['username'], $hashed_password));

Then, when that user attempts to log in to your website, use the password_verify() function to see if the supplied password matches the stored, hashed value:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
/* Initialize an array for filtered data. */
$clean = array();
 
/* Allow alphanumeric usernames. */
if (ctype_alnum($_POST['username'])) {
    $clean['username'] = $_POST['username'];
} else {
    /* Error */
}
 
$stmt = $db->prepare('SELECT password
               FROM users
               WHERE username = ?');
$stmt->execute(array($clean['username']));
$hashed_password = $stmt->fetchColumn();
 
if (password_verify($_POST['password'], $hashed_password)) {
   /* Login succeeds. */
   print "Login OK!";
} else {
   /* Login fails. */
}

If you are not using PHP 5.5 but are using PHP 5.3.7 or later, install the password_com pat library for implementations of password_hash() and password_verify().
If you are using an older version of PHP, the following Discussion outlines your options for secure password storage.

Storing hashed passwords prevents users’ accounts from becoming compromised if an unauthorized person gets a peek at your username and password database (although such unauthorized peeks may foreshadow other security problems).
The password_hash() and password_verify() functions do two things to make it hard for a bad guy to exploit access to the hashed passwords.

First, they incorporate a “salt” string into the value that gets hashed. This means that even if two of your users choose
the same plain-text password, the hashed value of that password will be different for each user.

If the bad guy figures out one of the user’s passwords, he won’t easily be able to figure out the other.
The second notable feature of these functions is they use an algorithm (currently bcrypt) whose cost can be adjusted.

This means that as the computers of bad guys grow more powerful over time, you can easily make it more expensive (computationally) to turn a hashed password into a plain-text password.
Because it’s hard to turn hashed passwords into plain-text passwords, your stored passwords are somewhat more secure.

This also means that you can’t get at the plain text of users’ passwords, even if you need to. For example, if a user forgets his password, you won’t be able to tell him what it is.

The best you can do is reset the password to a new value and then tell the user the new password.
If you’re using a version of PHP prior to 5.3.7, you can generate reasonably secure password hashes by using the built-in crypt() function:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
/* Initialize an array for filtered data. */
$clean = array();
/* Generate an appropriate salt. '$2a$' tells crypt() to
* use the Blowfish algorithm, and the 08 tells it to do
* 256 (2^8) rounds of hashing */
$salt = '$2a$08$';
/* Blowfish hashes are 22 bytes long, each byte is
* from 0-9, A-Z, a-z */
for ($i = 0; $i < 22; $i++) {
    $r = mt_rand(0, 61);
    if ($r < 10) {
        $c = ord('0') + $r;
    }
    else if ($r < 36) {
        $c = ord('A') + $r - 10;
    }
    else {
        $c = ord('a') + $r - 36;
    }
    $salt .= chr($c);
}
 
$hashed_password = crypt($_POST['password'], $salt);
 
/* Allow alphanumeric usernames. */
if (ctype_alnum($_POST['username'])) {
   $clean['username'] = $_POST['username'];
} else {
   /* Error */
}
 
/* Store user in the database. */
$st = $db->prepare('INSERT
             INTO users (username, password)
             VALUES (?, ?)');
$st->execute(array($clean['username'], $hashed_password));

And then verify those passwords by retrieving the stored salt and providing it to crypt() with a user-entered password:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
/* Initialize an array for filtered data. */
$clean = array();
 
/* Allow alphanumeric usernames. */
if (ctype_alnum($_POST['username'])) {
   $clean['username'] = $_POST['username'];
} else {
   /* Error */
}
$s
tmt = $db->prepare('SELECT password
             FROM users
             WHERE username = ?');
$stmt->execute(array($clean['username']));
$hashed_password = $stmt->fetchColumn();
$salt = substr($hashed_password, 0, strlen('$2a$08$') + 22);
 
if (crypt($_POST['password'], $salt) === $hashed_password) {
   /* Login succeeds. */
   print "Login OK!";
} else {
   /* Login fails. */
}

When using crypt(), you need to grab the appropriate salt (and the $2a$08$ prefix that tells crypt() to use Blowfish) out of the stored value in order to provide it to crypt() with whatever attempted password the user entered.

This ensures that the re-hashed value will match if the passwords match. If you are using a version of PHP prior to 5.3.0 and your system’s library that crypt() relies on does not include support for Blowfish, the preceding code will not work, because crypt() will not be able to use the Blowfish algorithm.

Test for this by checking the value of the CRYPT_BLOWFISH constant. If that is 0, then you do not have Blowfish
support.
In that case, you can either upgrade to PHP 5.3 (which bundles its own Blowfish implementation) or use a different password hashing function, such as the sha1() function.
If you want to maximize your password security, upgrading your version of PHP is the better choice.

The SHA1 algorithm is much faster to compute than Blowfish, so it is easier for attackers to find plain-text passwords that match a given hashed value.

Share
Tweet
Email
Prev Article
Next Article

Related Articles

Accessing Function Parameters in PHP
You want to access the values passed to a function. …

Accessing Function Parameters in PHP

Defining Object Stringification in PHP
You want to control how PHP displays an object when …

Defining Object Stringification in PHP

About The Author

InfinityCoder
InfinityCoder

Leave a Reply

Cancel reply

Recent Tutorials InfinityQuest

  • Adding New Features to bash Using Loadable Built-ins in bash
    Adding New Features to bash Using Loadable …
    June 27, 2017 0
  • Getting to the Bottom of Things in bash
    Getting to the Bottom of Things in …
    June 27, 2017 0

Recent Comments

  • fer on Turning a Dictionary into XML in Python
  • mahesh on Turning a Dictionary into XML in Python

Categories

  • Bash
  • PHP
  • Python
  • Uncategorized

InfinityQuest - Programming Code Tutorials and Examples with Python, C++, Java, PHP, C#, JavaScript, Swift and more

About Us

Start learning your desired programming language with InfinityQuest.com.

On our website you can access any tutorial that you want with video and code examples.

We are very happy and honored that InfinityQuest.com has been listed as a recommended learning website for students.

Popular Tags

binary data python CIDR convert string into datetime python create xml from dict python dictionary into xml python how to create xml with dict in Python how to write binary data in Python IP Address read binary data python tutorial string as date object python string to datetime python

Archives

  • June 2017
  • April 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
Copyright © 2021 InfinityQuest - Programming Code Tutorials and Examples with Python, C++, Java, PHP, C#, JavaScript, Swift and more
Programming Tutorials | Sitemap