CodeIgniter Password Encryption And Validation

Question

I'm using CodeIgniter, and am creating a section of the site where users need to be logged in. I have been reading about storing passwords as MD5 Hashes and encrypted strings with salts, but I don't see anything about decryption.

Is it efficient/safe to encrypt password attempts the same way they were encrypted when they were stored to check for validation?

Is this the recommended way of storing passwords in a php application or using the CodeIgniter Framework?

sidenote: take a look at libraries that are made for authentification already. http://stackoverflow.com/questions/346980/how-should-i-choose-an-authentication-library-for-codeigniter — Kyslik, May 30 '13 at 23:00
possible duplicate of [How do you use bcrypt for hashing passwords in PHP?](http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php) — kittycat, May 31 '13 at 00:40
@Kyslik if your comment was an answer, I'd have accepted it. Thanks!! — Sakamoto Kazuma, May 31 '13 at 02:52
When saving a password verifier just using a hash function is not sufficient and just adding a salt does little to improve the security. Instead iterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Use a function such as `PBKDF2`, `Rfc2898DeriveBytes`, `password_hash`, `Bcrypt`, `passlib.hash` or similar functions. The point is to make the attacker spend a lot of time finding passwords by brute force. — zaph, Jul 21 '17 at 15:12

Kyslik · Accepted Answer · 2013-06-06T07:12:42.217

3

There are already auth libraries "ready to go" (out of box one might say), here is a link to another question that is similar to this one http://www.stackoverflow.com/questions/346980/how-should-i-choose-an-authentication-library-for-codeigniter
note I like Tank Auth with "groups".

edited Jun 06 '13 at 07:12

answered May 31 '13 at 09:59

Kyslik

8,217
5
54
87

score 1 · Answer 2 · answered Feb 13 '14 at 10:12

CodeIgniter uses a library called "Tank Auth": http://konyukhov.com/soft/tank_auth/ It includes the class "PasswordHash.php": http://bit.ly/1gahwtT

Example code:

require "PasswordHash.php";

define("phpass_hash_portable",TRUE);
define("phpass_hash_strength",8);

$hasher = new PasswordHash(phpass_hash_strength,phpass_hash_portable);
if ($hasher->CheckPassword($password_to_check, $original_encoded_password)) {
    echo "password correct";
} else {
    echo "password incorrect";
}

tomexsans · Answer 3 · 2013-06-01T03:04:46.047

0

the two comments on your answers shows links to good answers, to add more.if you're just into hashing,You can also use crypt. note crypt is different from mcrypt fooled me once. An example of crypt can be found on laravel3 Hash class. or you can also use php pass,a library that utilizes OpenBSD-style Blowfish-based bcrypt.

Add thanks to cryptic, ircmaxell also has a hashing library check it out here

edited Jun 01 '13 at 03:04

answered May 31 '13 at 03:21

tomexsans

4,454
4
33
49

ohh yeah i did not know that library , better update my answer to include that one @crypticツ – tomexsans Jun 01 '13 at 03:03
PHP 5.5 will contain native support for `password_hash()` so using the above library makes it already compatible with it so no need to modify code to use it just remove library when upgrading and you're all good. =o) – kittycat Jun 01 '13 at 03:05

score 0 · Answer 4 · answered Jul 21 '17 at 14:24

0

Do not use md5 or base64. Sha1 is also broken. Its better to use bcrypt.

You can use this library with codeigniter to verify the bcrypt passwords

answered Jul 21 '17 at 14:24

Darshan

345
6
24

score -2 · Answer 5 · answered May 30 '13 at 22:42

-2

The passwords are stored in hashed format because in most cases it is not needed to restore them to the original string. The md5 function generates a unique 32 letter long string that can be verified by just comparing two hashes. To answer your question:

Yes this is a standard way of saving passwords.

MD5 is no longer secured enough so most people are starting to use the php hash

function with algorithm 'sha512' and salt of course.

answered May 30 '13 at 22:42

lexmihaylov

717
3
8

**Do not use MD5 or thelinjked to php hash function** they are not secure. The best, easiest and secure method for PHP is the combination of `password_hash` and `password_verify`. – zaph Jul 21 '17 at 15:17

score -3 · Answer 6 · answered May 31 '13 at 10:16

-3

this function may be use full to u..

$this->load->library('encrypt');
$this->encrypt->sha1($yaourpassword);

answered May 31 '13 at 10:16

M.B Kakadiya

576
1
5
18

2

This is such a bad way to store passwords. SHA1 is just as broken as MD5, also you use no salt. You need to use Bcrypt for password hashing. PHP 5.5 will have native support for it, otherwise use https://github.com/ircmaxell/password_compat – kittycat May 31 '13 at 17:36

CodeIgniter Password Encryption And Validation

6 Answers6

Linked