0

I want to hash passwords in PHP then send the result to MySQL.

From time to time I might want to use the available hashing functions in PHPMyAdmin to update/reset passwords.

I used to use MD5 for this in the past. As its available in PHP, PHPMyAdmin and in MySQL. However MD5 is no longer an option due to security concerns. I looked into SHA1 and that is no longer an option either. SHA2 does not seem to be available in PHPMyAdmin so that wont work for easy password resetting. One version of PHPMyAdmin I saw used password_hash but it wasn't available on another server so that is one issue. Another issue is it seems to produce a different output each time the function is run probably because of a random salt.

Is there a password hashing function that I can call from PHP, that will also be available in PHPMyAdmin and in MySQL as well?

Basically what should I replace MD5 with?

aboyce
  • 41
  • 1
  • 4
  • I would suggest using `password_hash` and creating a command line script that only you have access to for resetting passwords. – Jacob Mulquin Apr 17 '22 at 05:08
  • password_hash is built into php, it would be available on all servers. https://www.php.net/manual/en/function.password-hash.php – ADyson Apr 17 '22 at 07:07
  • `Another issue is it seems to produce a different output each time`...it's supposed to, but it doesn't matter because you just use password_verify to check them and it knows how to get the required information from each password to check it – ADyson Apr 17 '22 at 07:11
  • P.s. you'll probably need to make a little admin page in your application for resetting passwords, I don't think you'll be able to do it from mysql/phpmyadmin – ADyson Apr 17 '22 at 07:18
  • I don't think there is an answer to my question. MySQL doesn't have an equivalent for ```password_hash```. It seems like if password_hash is the answer. I was initially confused that it produces a different output each time it is run. The server with PHPMyAdmin without password_hash I will look to see if there is a way to have it added. – aboyce Apr 17 '22 at 08:44

1 Answers1

0

Gone are the days when there is a similar hashing function in all 3 areas.

I liked how MD5 was available in all 3 areas being PHP, PHPMyAdmin and MySQL. Since password_hash is the recommended way to hash passwords with PHP I will have to use that.

For resetting passwords in PHPMyAdmin I may allow MD5 hash and have the application update it to php password_hash next time the user logs in similar to how Wordpress did it. [If anyone sees a problem with this method I would like to be made aware]

aboyce
  • 41
  • 1
  • 4
  • Since a hash is not reversible, how do you propose to convert it from md5 to the password_hash format? – ADyson Apr 17 '22 at 17:02
  • When the user logs in they have to provide the password. So you do it then. – aboyce Apr 18 '22 at 07:34
  • That means you'd have to know which algorithm the password was hashed with and have php choose the right one, or have it try both. Only once you've verified it that way could you then legitimately re-hash it without it being a security issue. And if you're still storing some passwords using an insecure algorithm then your application's data is still insecure. This is not a good idea. Why do you want to reset passwords from phpmyadmin? That's not its job, it's a DBA tool. As I said, write a small admin tool as part of your php application to handle this, it won't take long – ADyson Apr 18 '22 at 08:10
  • I will write a tool. I was thinking having the password hashed as MD5 while it was being reset was not a huge deal. Wordpress does it and that runs 30% of the websites on the internet. – aboyce Apr 18 '22 at 09:52
  • Well I don't know precisely what WordPress does but if it's storing them as md5 for more than a few moments then it's risking its users' security. Being popular doesn't necessarily make you good quality (c.f. Microsoft for most of its existence...) – ADyson Apr 18 '22 at 10:18
  • Admin is locked out of Wordpress Admin. PHPMyAdmin Is available but other options are not [like wpcli]. You set the password using md5 hash in PHPMyAdmin and then login as normal in Wordrpess admin area. When you login to wordpress it changes the MD5 hash to some other complicated hash it uses. MD5 has is used for backwards comparability. For all I know they may have removed this method of password reset or plan to remove it soon. Thanks for the advice. – aboyce Apr 18 '22 at 11:11