how can I make new users password more secure?

Question

I have created a login form for my admin panel, I have the users created stored in a mysql database however all passwords are visible in plain text. I know i need to use md5 to encode the passwords and make them more secure I am just unsure as to how to do this...

My code is below:

<?php
    session_start();
    include("../config.php");

    $username   =   trim($_GET['username']);
    $password   =   trim($_GET['password']);
    $cpassword  =   trim($_GET['cpassword']);
    $name   =   trim($_GET['name']);
    $email  =   trim($_GET['email']);

    //Server side validation

    //check if all fields are enter or not
    if($username == '' || $password == '' || $name =='' || $email =='')
    {
            $output['error']    =   'error';
            $output['msg']      =   'All fields are mandatory';         
    }

    //Check password and confirm password match or not
    else if($cpassword != $password)
    {
            $output['error']    =   'error';
            $output['msg']      =   'Password and confirm password do not Match';

    }
    else if(!filter_var($email, FILTER_VALIDATE_EMAIL))
    {
            $output['error']    =   'error';            
            $output['msg']      =   'Enter correct Email ID';

    }
    // Insert the data into the database
    else{

            // SELECT MATCH FROM THE DATABASE
            $queryMatch =   "SELECT * FROM `users` where username=?";           
            $statementMatch =   $db->prepare($queryMatch);
            $statementMatch->execute(array($username));

            if($statementMatch->rowCount() > 0) {
                $output['error']    =   'error';
                $output['msg']      =   'Username Already exists.Try another username.';
            }else{  
                $query  =   "INSERT INTO `users` SET username=? , password =? , name = ? ,email=?";
                $parameters =   array($username,$password,$name,$email);
                $statement  =   $db->prepare($query);

                $statement->execute($parameters);

                $output['error']    =   'success';
                $output['msg']      =   'Registered Successfully.Redirecting to Login Page..';
            }

    }   
    echo json_encode($output);  
?>

If anyone could help me with this it'd be great, as I say I know I need to use md5 at some point I am just unsure as how I would add it to this code?

EDIT::

I want to know how to add md5 to this code so that passwords are encoded with md5 and saved in a secure manner. BUT I also want to know how to make passwords more secure. Currently new users have to have a password of 8 characters or more and contain one number and a symbol but ideally I could do with a way to have them generate 100/100 secure passwords.

If md5 isn't as secure as it seems what other options do I have that can be used instead of md5?

EDIT::

I now realise md5 isn't as secure as initially thought. Please refer to @kyborek's answer for the best solution to this issue.

Answer 1

There are numerous tutorials for password hashing in php all you need to do is search for them.

For example you could use builtin functions in PHP: http://php.net/manual/en/function.password-hash.php Here is summary page for php hashing & verification functions: http://php.net/manual/en/faq.passwords.php

If you want to have the passwords secure (and not just unreadable) you should at least read this answer https://stackoverflow.com/a/401684/1276062

If you really want to use MD5, you could just as well keep the passwords in plaintext.

Answer 2

just use this while saving your password in your Db for example :

$name = $_POST['username'];
$address = $_POST['address'];
$email = $_POST['email'];
$username = $_POST['username'];
$password= $_POST['password'];
$password = md5($password);

insert into users ('name','address','email','username','password') values ('$name','$address','$email','$username','$password');

this way your password will be save in md5 format

Answer 3

Would be more easier to use MySQL Default Function for Password :

INSERT INTO `users` SET username=? , password =Password('mypassword') , name = ? ,email=?

For Validate :

Select * from users where username = ? and password = Password('mypassword')

To Hide all the password in bulk :

Update users set password = Password(password)

That will Update all the password in the database but before you do that please modify your Login Process.

Answer 4

When you insert your users and their password in the database, you'll apply hash algorithms using different computed data from the user(I took account creation day in the example and username) to it.

At authentification time for your users, you apply the hash algorithms to the credentials he entered.

As a simple example:

    // Database INSERTION TIME
    $username = "Spartan1337";
    $password = "Lanaya_Best_Pick";
    $created_day = "42";

    $hash = md5($username . $created_day . $password);

    // Credential inputs recuperation, Changed var names to insist on input
    $username_input = "Spartan1337";
    $password_input = "Lanaya_Best_Pick";
    function getUserCreatedDay($user) { return ("42"); }

    // Authentification test
    if (md5($username_input . getUserCreatedDay($username_input) . $password_input) == $hash)
        echo ("Success");
    else
        echo ("Fail");

This case is really simple and you should apply several methods and/or control structures to your hash at insertion time in your database.

If you are familiar with Symfony2, I would advice you to have a look at FosUserBundle's core because it illustrates the operations you can do on your hash like loops and other things.

Edit: Md5 is not that safe by the way.

Edit2: Existing APIs will do the job better than if you write it by hand, this post was just the explanation of what happens behind.