0

I wanted to make my password database more sequre encrypting the passwords with bcrypt. The thing is I do not know if it is important to split the hash returned by the method into different strings (-prefix-cost-salt-password-) in order to make it safer. Does it? The hash returned: $2y$10$/s1xHJ04qAY2CCs16BHdQ.VpzQjd3HSUGEsL6xiKrd.RQig7uFpZ.

And in that case, which columns should I create in my database table?

Shadow
  • 33,525
  • 10
  • 51
  • 64
ferran
  • 100
  • 2
  • 8
  • 3
    Hashing passwords can be really simple, yet very secure - use `password_hash($user_password, PASSWORD_DEFAULT)`, then store that in a column that's of at least 60 length. Then just use `password_verify($user_password, $hashFromDatabase);` to verify! No salt, cost or prefix needed. In fact, you shouldn't - just use the `PASSWORD_DEFAULT` constant. – Qirel Jul 17 '19 at 08:42
  • @Qirel yes! that's what I did, but I've seen some people spliting that hash in its parts, and I just wanted to know if that really ads something to its security. Because I guess that if he access the hash alone or by its parts, it is not going to make a diference. – ferran Jul 17 '19 at 08:46
  • 2
    No, you should only use `password_hash($user_password, PASSWORD_DEFAULT)` and insert that directly into the column, no need to split it up. You gain nothing by doing it. Using salt/prefix is also discouraged - just the plain hash is good. – Qirel Jul 17 '19 at 08:47
  • 1
    If someone has access to your database it doesn't matter if you split it or not. – Dharman Jul 17 '19 at 08:48
  • yeah, that's what I still think, but I've seen so many people doing it that I got confused, thank you @Dharman – ferran Jul 17 '19 at 09:41
  • 2
    This is a huge problem with PHP on the internet. People follow the majority of bad programmers and they copy their mistakes. See: https://stackoverflow.com/q/401656/1839439 https://stackoverflow.com/q/4795385/1839439 – Dharman Jul 17 '19 at 09:44

1 Answers1

1

You don't need to split the hashed password, why you want to do that? Just use the PHP native password hashing function: password_hash($user_password, PASSWORD_BCRYPT, ['cost'=> 12]) and store the result inside the database.

Oshione
  • 88
  • 13