0

Okay, I have an extremely basic knowledge on how to make a secure, login system.

If you try to login, you get the attempted password, hash it to example md5, try to match the hashed password with the password stored on some sort of database/server (also hashed).

When registering it stores the md5 hash on the server, but NOT the original. So even if it's breached it's untraceable. (Even though there are services that have a database of hashes, and can attempt to reverse).

My problem is: How to store the hash? If i used a mysql database, it would have the details hard coded inside, and I don't code in php so can't really make an online one.

How would I hide the mysql credentials in my software?

  • 1
    You should be adding a salt to your hash too... – SJB Nov 06 '15 at 16:49
  • mhm yes. Any ideas on what I asked doe? –  Nov 06 '15 at 16:51
  • 1
    maybe useful? [Using PHP 5.5's `password_hash()` and verify function, am I doing it right?](http://stackoverflow.com/questions/14992367/using-php-5-5s-password-hash-and-verify-function-am-i-doing-it-right). Also: [Hashing Passwords with the PHP 5.5 Password Hashing API](http://www.sitepoint.com/hashing-passwords-php-5-5-password-hashing-api/). There is a compatibility library available for earlier PHP versions. Please use this for your password hashing needs. It is tried and tested. – Ryan Vincent Nov 06 '15 at 16:55
  • Class that uses it and the test code can be found: [at pastebin.com](http://pastebin.com/KGsPr6Hx). – Ryan Vincent Nov 06 '15 at 17:10

1 Answers1

1

Don't generate your own salts.

Research PHP password_hash and password_verify functions, which do pretty much all you ask, automatically and fairly securely in PHP 5.5+.

http://php.net/manual/en/function.password-hash.php

Also

http://php.net/manual/en/faq.passwords.php

You can also use this on PHP 5.3 with a good fix made by IRCMaxwell. Here: https://github.com/ircmaxell/password_compat

MD5 has been severely compromised and there are various rainbow tables and collision functions that can find out what an MD5 hash string originally was (down to a handful of options, which are peanuts to compute). Do Not use MD5 for hashing private data.

"How to store the hash"

By Storing the hash I think you mean that you want to store the:

$hash = md5($password_plaintext');

if this is so, then you can store this in a MySQL VARCHAR field, on the record, typically people submit login info with a username password so the username is used for the MySQL engine to find the row, and then the password hashes are compared to see if they match.

Using password_hash(), you would look up the username, then retrieve the associated password hash field value (just that value), and then compare the hash with the plaintext password from the form with:

if(password_verify($posted_login_password_plaintext, $hashfromDatabase)){
//if TRUEPassword matches.
}

That's all you need. You do not need and actually should not store any salts for hashing with.

Martin
  • 22,212
  • 11
  • 70
  • 132
  • @RyanVincent the standard way hashes work as far as I'm aware is that the hash salt is stored within the completed hash itself. Unlike with encryption. – Martin Nov 06 '15 at 21:45