Asked  2 Years ago    Answers:  5   Viewed   130 times

Probably a very newbie question but, Ive been reading around and have found some difficulty in understanding the creation and storage of passwords. From what i've read md5/hash passwords are the best ways to store them in a database. However, how would I go about creating those passwords in the first place?

So say I have a login page with user bob, and password bob123 - how will I 1. get bobs password into the database to begin with (hashed) 2. how do I retrive and confirm the hashed password?

Thanks

 Answers

5

Edit 2017/11/09: Be sure to take a look at the answer from O Jones.

First off MD5 isn't the greatest hashing method you could use for this try sha256 or sha512

That said lets use hash('sha256') instead of md5() to represent the hashing part of the process.

When you first create a username and password you will hash the raw password with some salt (some random extra characters added to each password to make them longer/stronger).

Might look something like this coming in from the create user form:

$escapedName = mysql_real_escape_string($_POST['name']); # use whatever escaping function your db requires this is very important.
$escapedPW = mysql_real_escape_string($_POST['password']);

# generate a random salt to use for this account
$salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));

$saltedPW =  $escapedPW . $salt;

$hashedPW = hash('sha256', $saltedPW);

$query = "insert into user (name, password, salt) values ('$escapedName', '$hashedPW', '$salt'); ";

Then on login it'll look something like this:

$escapedName = mysql_real_escape_string($_POST['name']);
$escapedPW = mysql_real_escape_string($_POST['password']);

$saltQuery = "select salt from user where name = '$escapedName';";
$result = mysql_query($saltQuery);
# you'll want some error handling in production code :)
# see http://php.net/manual/en/function.mysql-query.php Example #2 for the general error handling template
$row = mysql_fetch_assoc($result);
$salt = $row['salt'];

$saltedPW =  $escapedPW . $salt;

$hashedPW = hash('sha256', $saltedPW);

$query = "select * from user where name = '$escapedName' and password = '$hashedPW'; ";

# if nonzero query return then successful login
Sunday, December 11, 2022
3

The n in the following line, is embedding a linebreak, (Edit: one that cannot be included in the user inputted password).

$password = password_hash($pass,  PASSWORD_BCRYPT, $options)."n";

and you need to delete it and start over with a new hash.

Jay Blanchard, a member here on Stack submitted a note about it not too long also in the password_hash() manual, which is something that he and I actually talked about.

Be care when using the example from the documentation which concatenates a newline character n to the end of the hash, i.e.:

echo password_hash("rasmuslerdorf", PASSWORD_DEFAULT)."n";

People are storing the hash with the concatenated newline and consequently password_verify() will fail.

Another option would be to use trim(); that also works (at the moment of hashing).

$password = password_hash($pass,  PASSWORD_BCRYPT, $options)."n";
$password = trim($password);
// Store in db after

Yet you still need to start over by clearing the old hash(es) and creating new ones.

Do keep in mind though, that you shouldn't escape passwords.

One such as 123'abc (being perfectly valid) will be modified to 123'abc by real_escape_string(); it's not needed. password_verify() takes care of that, security-wise.

Tuesday, October 4, 2022
 
2

Any way you write this, you will need these xxx and yyy values in verifyNewPassword.php. The best solution would save these in hidden inputs when passed to resetpassword.php, send them along with the POSTed values, and verify them one more time from verifyNewPassword.php.

If you want to avoid the link, you can send a 303 response with the Location header set to http://mysite.net/resetpassword.php?id=xxx&username=yyy, with another optional flag set if you wanted to display an error message.

Friday, August 26, 2022
2

It turns out that if you change your icon you have to change the extension as well in order for the icon to show up.

So what I did was to first test without any icon getting an empty icon, and then tried to add the real icon. That did not work. Instead as soon as you add a new icon, also make sure to change the extension.

It is funny how such a little thing can make you lose a whole day, and also that I didn't find even a hint on this on the net.

Saturday, August 6, 2022
 
26

You defiantly can with WAIK. Take a look here at how to set up an image and here to boot off a USB stick.

Sunday, October 30, 2022
 
Only authorized users can answer the search term. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :
 

Browse Other Code Languages