4

So basically i am taking a course of web development where the tutor said we need to hash the password before storing it in mysql so that hackers cannot decode it.

the way we do it is 

$hashedPassword = password_hash ("myPassword", PASSWORD_DEFAULT);

and to decode while on the login form we use 

password_verify("somePassword", $hashedPassword);

so my question is, if someone hacks into my mysql database and steals the hashed password, wont he also be able to decode it ? is it safe to use to make a website login ?

Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
Femn Dharamshi
  • 527
  • 1
  • 9
  • 25
  • 11
    The `password_verify()` function does not "decode" the hash at all, since that simply is not possible. A hash algorithm is a one way process, it cannot be reversed, that is the whole point. Instead it hashes the provided password and compares the two hashes. That does not mean that it is impossible to break such a hash, especially if you get hold of it as an attacker. But you cannot simply decode it, you need to perform a brute force attack. – arkascha Jul 10 '17 at 15:49
  • Please refer to http://php.net/manual/en/function.password-hash.php – AutoTester213 Jul 10 '17 at 15:50
  • 6
    `password_hash()` is currently the best way to accomplish this. Kudos to your tutor for knowing this and not being one of the million sources that teach you to use something horribly outdated. – Alex Howansky Jul 10 '17 at 15:53
  • 1
    _"wont he also be able to decode it"_ Not in any reasonable amount of time. _"is it safe to use to make a website login"_ Yes. – Alex Howansky Jul 10 '17 at 15:54
  • 8
    Here's a my password hashed using password hash `$2y$10$usX/K4jE3tMWvQt.fdimNuV9twBuWO6ANSlESwuKlRNPFAt1DJYCu` feel free to try and decode it. – apokryfos Jul 10 '17 at 15:55
  • 1
    @arkascha "Instead it hashes the provided password and compares the two hashes." I appreciate if you clarify to me how. (I understand the two hashes are different, how is is that they encode the same plain password? how does we check that?) – mario Aug 18 '17 at 22:02
  • 2
    @mario: The hashes are identical if passwords are identical. (You've probably long forgotten about the question, but I'll answer it just for a closure here.) – Sinus the Tentacular Jul 19 '21 at 20:27

0 Answers0