Why you can’t store passwords in clear text

The main reason is to minimize damage in case of a database leak.

If an attacker gets only usernames and email addresses, this is bad, but not critical.

But if he has logins and passwords in his hands, he can try to use these data to log into mail services (Gmail, Yandex.Mail, Mail.ru, etc.), social networks, instant messengers, client banks, etc. …

To the same Pyaterochka personal account in order to reissue the card and spend other people’s bonuses.

In general, site users who use the same logins and passwords everywhere can get a bunch of problems.

Some developers believe that their application is well protected and there can be no leaks. There are several reasons why this opinion is wrong:

  • A developer is not a robot, he cannot help but make mistakes.
  • Hacking can happen from the side of the hosting provider, whose work is not always possible to control.
  • Incorrect server settings can lead to possible access of other hosting users to your site (relevant for virtual hosting).
  • A former work colleague may leak the database to a competitor. Maybe as revenge, or maybe just for the money.

In short, passwords cannot be stored in clear text.

Encryption and hashing

Encryption is the reversible conversion of text to a random set of characters.

Hashing is the irreversible conversion of text to a random set of characters.

The difference between these two actions is whether we can get the original string from a random set of characters according to some well-known algorithm.

I will give an example of encryption. We have a message:


I am Ram

Let’s encrypt the message using the following algorithm: shift each letter by 1 alphabetically, i.e. a turns into b , d turns into d , i turns into a . This is what the ciphertext will look like:


A GBta

Encrypted. Now, to decrypt, you need to perform the opposite operation, shift all letters 1 character back. By the way, this encryption algorithm is called the Caesar cipher ( Wikipedia).

Unlike encryption, hashing has no (or rather should not have) a way to “decrypt” a string back:

$hash = md5('
Some line');

Encrypting passwords

No need to encrypt passwords.

The decryption algorithm can be stolen or picked. When using hashing, it doesn’t matter if the attacker knows the algorithm, it doesn’t really help him in getting the original password from the hash.

Password hashing and authorization

There is a password_hash () function for hashing passwords in PHP :

$password = '123456';
$hash = password_hash($password, PASSWORD_BCRYPT);

var_dump($hash);
// string(60) "$2y$10$Vb.pry5vRGNrm6Y79UfBsun/RbXq2.XEGCOMpozrDwg.MNpfxvWHK"

The second parameter is the hashing algorithm. By default, this is the bcrypt we specified, but I recommend specifying it manually, as the basic algorithm may change in the future. It will be sad if the authorization fails on the site during the next PHP version update.

To check the correctness of the password entered by the user, use the password_verify () function :

<?php
$hash = '$2y$10$Vb.pry5vRGNrm6Y79UfBsun/RbXq2.XEGCOMpozrDwg.MNpfxvWHK';
$password = '123456';

if(password_verify($password, $hash))
    echo 'The password is correct.';
else
    echo 'The password is incorrect.';

Again. When registering a user, you need to pass the password to the password_hash () function , and save the resulting hash to the database.

When trying to authorize, we get the user by his login and check with the password_verify () function if the password hash matches the password that the user entered.

Thus, it no longer makes sense to store the original password.

Yes, different hashing algorithms generate hashes of different lengths, so it is recommended to store the hash in a VARCHAR (255) field.

MD5 and SHA1 algorithms

There are still articles on the Internet where it is recommended to hash passwords with the md5 () and sha1 () functions .

You cannot use them to hash passwords!

These algorithms are outdated long ago and are not secure . Instead, use the password_hash () function we discussed above.

Leave a Reply

Your email address will not be published. Required fields are marked *

Leave a Reply

Your email address will not be published. Required fields are marked *