I am using php for a basic application to login into the system, be able to edit account information, and delete account. I have a mysql database. I need to encrypt/decrypt password using salt. How do I do it? Just need to make sure data is secure.
Asked
Active
Viewed 2,196 times
1
-
Related: http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords – Thomas Glaser Nov 23 '12 at 09:51
2 Answers
5
You don't want to encrypt passwords. You want to hash them.
Some reading: http://php.net/manual/en/faq.passwords.php
Related SO post: how to hash the password and get it back
Community
- 1
- 1
MikeSmithDev
- 15,731
- 4
- 58
- 89
2
Passwords should be hashed, in contrast to encryption this is a one-way function, that should make it impossible to get back the original password.
- Store only the hash-value in the database, and compare against this value for login.
- Use a unique salt per password, it can be stored plaintext in the same database field as your hash-value.
- Use a slow key-derivation function like Bcrypt, to prevent brute-force attacks.
It's recommended to use a well established library like phpass to build the hashes. For further reading have a look at this tutorial.
martinstoeckli
- 23,430
- 6
- 56
- 87