0

In my web page, whenever someone creates a user account, a secret key would be generated for the 2nd Authentication(aka One-Time Password). An example of the generated key looks like this:"C9DR2VWVEE1SQXAR". Is it a bad move if I were to store this key as it is into the database, without hashing or salting or encrypting it? If so, what's a good way to store it php/mySQL?

Edit: I'm not looking for solutions for storing password, I'm asking about the secret key for the time-based OTP that is generated by the back-end. I don't see how it's linked to storing password, unless yo're telling me to store like a password.

Samuel Smith
  • 139
  • 1
  • 1
  • 13
  • This is just temporary? I wouldn't worry too much about it. – Barmar Apr 23 '19 at 03:46
  • Last few years, I also have a same question like this. After tried some ways to store secret key (Database, Cache), then I choose to do not store any secret key. I decided to pickup https://www.npmjs.com/package/otplib (JS language) to generate OTP (One-Time password) and decode OTP send from client. I suggest you can try this lib https://github.com/lelag/otphp (PHP) to generate and decode OTP. – Dat Ho Apr 23 '19 at 03:52
  • 1
    PHP has easy to use [methods](https://www.php.net/manual/en/ref.password.php) to handle passwords, I see no reason to not use them even if you store password for a short time. – Cray Apr 23 '19 at 04:58

0 Answers0