Hello.

I am beginning the process of implementing password encryption for User's on my future site (The site is not live or available yet).

I have been reading up on hashing passwords and storing them in the database.

My question are as follows:

  • I believe it has said that once hashed, the password is stored as plain text and not reversable - I take this to mean that it cannot be viewed by me in its original state, the original User password. Is this correct?
  • The online PHP manual suggests using password_hash() or crypt(); This is an aspect of programming/PHP which is new to me. Do I have to include any sort of files or set-up server side in order to get this to function?
  • When a password is hashed, is it always the same character length? I ask this as I would need to know a length in order to store it correctly in the DB.

Any other input would help greatly.

Thank you in advance!
Matthew

Hi

A hashed password in my system looks something like this:

$2a$10$dfLab4y467mdxJeSDlvAIOOjKmrW8Tbm80IN9qm5WVd7ALGZTQkBe

In my table they are all the same length - this is usually part of the hashing algorithm.

When someone attempts to logon you take the password they typed in and hash it. You then compare it with the hashed password in the database. If they are the same then you can log them on. If someone were to get their hands on your database they would not be able to use the passwords as they would not know what the actual password is. It is practically impossible to reverse a hash.

Check out http://en.wikipedia.org/wiki/Cryptographic_hash_function

I don't do PHP so cannot advise on the second part of your question. Generally hashes are the same length. All of them in my table are 60 chars.

From wikipedia: A hash function is any function that can be used to map digital data of arbitrary size to digital data of fixed size.

Hope that helps.

Member Avatar for iamthwee

Put simply, ensure you are on a recent version of php.

Save to database:

$hashedPasswordInDb = crypt($password);

To authenticate:

if (crypt($passwordFromPost, $hashedPasswordInDb) == $hashedPasswordInDb) {
    // Authenticated

That's about it, for the db length/size I'd set it 100 to 200 characters over the actual size just in case. That way you can't go wrong.

just to add...

cannot be viewed by me in its original state, the original User password. Is this correct?

correct.

When a password is hashed, is it always the same character length?

yes.

I would need to know a length in order to store it correctly in the DB.

length depends on method used to create the hash value. You'll quickly determine the length once you start testing the various methods at your disposal.

Much thanks to all of you for your input. I am marking this thread solved. I may have further questions in the future.

Member Avatar for iamthwee

How are you getting on with MVC and codeigniter? Did you get a chance to trial it yet matty?

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.