Methods for storing login information in database

Question

What is the best way to store login information into database? I know that storing plane text password is not at all suggested. What are the other methods? What functions in PHP are available for storing and authentication of login information if hash values of the password is used?

I am using PHP, MySQL, Apache server on Windows machine.

Start by reading this: http://stackoverflow.com/questions/549/the-definitive-guide-to-website-authentication — sagi, Jul 15 '11 at 15:56
I wanted to point out that most of the posts below confuse salt with padding. They serve a completely different purpose...please don't make the same mistake. A salt is always outside the hash, and serves to make hashes unique for the same input...see http://en.wikipedia.org/wiki/Salt_(cryptography%29 — Josh, Jul 30 '11 at 08:06
Josh - Your reference states 'a salt consists of random bits, creating one of the inputs to a one way function'...in other words there is hashing going on outside the salting process. Hashing the password before salting is probably acceptable also, but since hashing is theoretically not reversible it offers little advantage. — rcravens, Aug 13 '11 at 19:48

score 3 · Accepted Answer · answered Jul 15 '11 at 16:13

3

There are two camps in this security discussion:

Don't store the passwords in your DB. This usually means leveraging OAuth or equivalent. You will need to store a 'token' that uniquely identifies the user. This 'token' is provided by the authentication service that you select. The service also provides the authentication.
Store a hash (not reversible) transformation of the password in the DB. Then the authentication process is to compare the hashed version of the provided pword with the one in the DB.

There are complexities that should be considered depending upon your security consideration. I think the minimum should be a salted password implementation. This is typically something like:

$hash = sha1(saltThePword($pword));

where

function saltThePword($pword)
{
    // combine the password with a salt.
    // typically:
    //   $pword.$salt
    //   $salt can be static
    //   $salt can be unique to user (reproducible by a formula)
}

Hope this helps.

Bob

answered Jul 15 '11 at 16:13

rcravens

8,060
2
30
25

-1 I'm sorry, this is bad advice, that is not a salt. You are implementing a secret key, and also by recommending a formula it's compromised as soon as they see the source, which is security by obscurity. Even worse, this is most likely to happen in a situation where the attacker gains access to the hashes (which is the entire point of securely hashing them), and very likely your server scripts as well. – Josh Aug 13 '11 at 16:03
Josh - I thought to 'salt a password' you take the password and add to it some additional bits making the original pword harder to guess. In the above example, the 'saltThePword' function was the place where this salting is done. The hashing is done outside that function (sha1). I didn't recommend a formula, just a pattern. Hashing protects against DB attacks (sql injection) where a portion of your db becomes public. If your server has been compromised in such a way as to expose your data and your source code, then the game is almost lost. – rcravens Aug 13 '11 at 19:44
http://en.wikipedia.org/wiki/Salt_(cryptography) - as good or better explanation I can give you. If your server becomes compromised, you can at least rest assured that no known computer could decrypt the password s because you have made it computationally infeasible. – Josh Aug 14 '11 at 02:47

score 1 · Answer 2 · answered Jul 15 '11 at 15:57

1

PHP gives you md5(), sha1(), and more. A typical hashing technique is to add a "salt" to your plain text password to make it more difficult to brute force.

$pass = 'password';
$salt = 'aLongStringCalledASaltIsOftenUsedToMakeHashingMoreSecure';
$hash = sha1(md5($salt . $pass));

answered Jul 15 '11 at 15:57

adlawson

6,035
1
32
46

I am not going to state that there is 'no' point in running sha1 over md5 but if you are THAT worried about password security, choose a better hashing algo to begin with. – JM4 Aug 09 '11 at 20:19
I would agree; if you want to be secure you would use a better hash, but if you are *actually* that concerned, you wouldn't ask for help on StackOverflow – adlawson Aug 09 '11 at 21:55

score 0 · Answer 3 · answered Jul 15 '11 at 15:59

0

Save password like string md5('password') and when u will be check user authorization u use a query

$res = mysql_query("SELECT id, login, name FROM user WHERE login='".mysql_real_escape_string($login)."' AND password='".md5($password)."'");

answered Jul 15 '11 at 15:59

Londeren

2,764
21
26

Please don't recommend MD5. It's broken. – R. Martinho Fernandes Jul 30 '11 at 07:48
Please don't recommend inlining queries. I would question the usage of a db specific interface too when very good generic api's are available. – Josh Aug 13 '11 at 16:05

score -1 · Answer 4 · answered Jul 15 '11 at 16:08

-1

I like using sha2 for my encryption algorithm, also make sure your salt is in a safe place and not in your database under a column or table named salt.

answered Jul 15 '11 at 16:08

sauce

572
3
8
22

Salts are supposed to be computed once per hash generation, and are supposed to be unencrypted and in plain sight. – Josh Jul 30 '11 at 08:08

Methods for storing login information in database

4 Answers4

Linked