In this article you will learn about some of the various methods for securing password in PHP.
Hashing users password before storing them in a database is an essential practice that developers need to incorporate into their workflow. Storing users password as plain-text can make it very easy to steal users information in the event that your database is compromised.
Applying a password hashing algorithm to a user’s password will make the password appear meaningless and implausible for attackers to ascertain definitely the original password text.
Some Common hashing functions supported by PHP
The md5() function in PHP makes use of “RSA Data Security, Inc”. MD5 Message-Digest Algorithm.
The RFC 1321 states that – “The MD5 message-digest algorithm takes as input a message of arbitrary length and produces as output a 128-bit “fingerprint” or “message digest” of the input. The MD5 algorithm is intended for digital signature applications, where a large file must be “compressed” in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA.”
Calculating the MD5 hash of a given string in PHP
<?php $password = "Testing123"; echo md5($password); ?> This will produce the following hash: ac1c8d64fd23ae5a7eac5b7f7ffee1fa Using md5() to hash password is not that secured, to test the strength of this algorithm, copy the hash text and go to crackstation.net
The RFC 3174 states that – “SHA-1 produces a 160-bit output called a message digest. The message digest can then, for example, be input to a signature algorithm which generates or verifies the signature for the message. Signing the message digest rather than the message often improves the efficiency of the process because the message digest is usually much smaller in size than the message. The same hash algorithm must be used by the verifier of a digital signature as was used by the creator of the digital signature.”
Calculating the SHA-1 hash of a given string in PHP
<?php $password = "Testing123"; echo sha1($password); ?>
This will produce the following hash: 99c884b90f6d2c6086075661a84f11798d0bddf6
Lets also try the strength of sha1 following the same process.
“CrackStation uses massive pre-computed lookup tables to crack password hashes. These tables store a mapping between the hash of a password, and the correct password for that hash. The hash values are indexed so that it is possible to quickly search the database for a given hash. If the hash is present in the database, the password can be recovered in a fraction of a second.” – How CrackStation Works
You can see that both md5() and sha1() hashed password are less secured. Although sha1() is more secured than md5().
PHP has introduced a native password hashing API that uses a strong one-way hashing
algorithm. The password hashing function is compatible with version 5.5 and later.
Creating a hash with password_hashing function in PHP
<?php $password = "Testing123"; echo password_hash($password, PASSWORD_DEFAULT); ?>
This will produce the following hash: $2y$10$m/c3j1NaDYE9WyZ4InIw8edkcnfLkDRnUd4oSHKvKrd/zPiYeCFG6