Using hashing to safely store user passwords

Question

Please try to search StackOverflow before asking a question. Many questions are already answered. For example:

PHP & MySQL compare password

how do I create a mySQL user with hash(‘sha256’, $salt . $password)?

Secure hash and salt for PHP passwords

User Login with a single query and per-user password salt

Non-random salt for password hashes

Hi

I want that nobody can see my password even in database..

So i used hash function like this

$passowrd_hash=hash('shal',$_POST['password']);

Now easily I can store this password_hash value into database. It will be something like in encrypted form.

Now user know its original password he don't know this encrypted password.

Now if he try to login through this original password..He is not able to login.

So is there any method so that it can be decrypted and user can make log in. So he can achieve both security of password as well as login again.

How to do this?

When you like one of the answers, please mark it as accepted — tanascius, Jan 25 '10 at 14:30

score 13 · Accepted Answer · answered Jan 25 '10 at 14:28

13

you need to hash the user input password and compare hashes.

answered Jan 25 '10 at 14:28

John Boker

82,559
17
97
130

Lukasz · Answer 2 · 2010-01-25T14:36:29.943

1

All you need to do is encrypt the password you type in and compare the two; the hash in the database and the one you just encrypted. If they match then the password entered is the right one. I am assuming you are using an algorithm like SHA1.

edited Jan 25 '10 at 14:36

answered Jan 25 '10 at 14:28

Lukasz

8,710
12
44
72

at least, with very high probability – Martijn Jan 25 '10 at 14:30

score 1 · Answer 3 · answered Jan 25 '10 at 14:30

1

Before comparing the posted password by the user with the one in the database, encrypt the posted password the same way as the stored password.

answered Jan 25 '10 at 14:30

nocksock

5,369
6
38
63

Bhaskar · Answer 4 · 2010-01-25T14:41:44.810

1

You dont need to decrypt it. You cannot convert back a hash to a plain text, its a one way function. So, basically you hash the input password and compare the two hash:

E.g (pseudo code):-

if hash(password entered by user) == password stored in databse Then
    //logged in successfully
else
    //login failed
end if

edited Jan 25 '10 at 14:41

answered Jan 25 '10 at 14:31

Bhaskar

10,537
6
53
64

The 2nd half of your if statement should be `hashed password stored in the db`. Of course storing an unencrypted password anywhere isn't secure. – Dana the Sane Jan 25 '10 at 14:38

score 1 · Answer 5 · edited May 23 '17 at 12:19

1

As already answered, you need to hash the password every time they re-enter it and compare the hash to what is in your database.

You ALSO should look into using salt in your hashing algorithm. There is a good deal of discussion in this question:

Secure hash and salt for PHP passwords

edited May 23 '17 at 12:19

Community

1
1

answered Jan 25 '10 at 14:40

Licky Lindsay

1,048
6
10

score 0 · Answer 6 · answered Jan 25 '10 at 14:39

0

I highly recommend using md5() http://php.net/manual/en/function.md5.php.

When the user signs up, you store:

$password = md5($_POST['password']);

And when the user logs in you check:

if($_POST['password_entered'] == $passwordFromDB) :
    // Log user in
else :
    // Show error to user
endif;

answered Jan 25 '10 at 14:39

Giles Van Gruisen

961
3
13
27

I would think using sha1() would be more secure? – Elliott Jan 25 '10 at 14:47
MD5 has been broken and should not be used for encryption purposes – John Conde Jan 25 '10 at 14:47

Using hashing to safely store user passwords

6 Answers6

Linked