Secure password storage

Question

I\'m developing a web service where users must login. I will store user data in an SQL database and input/output via PHP. But I don\'t want to store it openly. How do I encr

Answer 1

Save an MD5 hash and to make it more secure, add a salt.

Answer 2

You need to salt and hash the password, using an appropriately secure algorithm.

• PHP's mhash has appropriate hashing functions
• A full example here on SO

Answer 3

The easiest way to get your password storage scheme secure is by using a standard library.

Because security tends to be a lot more complicated and with more invisible screw up possibilities than most programmers could tackle alone, using a standard library is almost always easiest and most secure (if not the only) available option.

See this answer for more info

Answer 4

Hash passwords in SHA-1 (sha1 php inbuilt function) with several recursions of salting (same code in the answers above, only loop through several times). This should be sufficient protection, so even if the intruders somehow get their hands on the hashes, they shouldn't be able to crack them...

Answer 5

You probably want to hash the password - not encrypt it. Check out SHA-1. Hashing means that you cannot retrieve the original data as you can with encryption. Instead what you do is hash the users input and compare it to the hash in the database to see if they've got the right password. Doing this increases security as if your database was ever compromised - a bunch of hashes are useless.

Answer 6

There is the possibility to hash passwords (preferably with a salt):

$salt = random_string($length = 5);
$hash = $salt . sha1($salt . $password);

Or store encrypted (only if your MySQL connection is SSL secured):

INSERT INTO `user` (`user`,`pass`) VALUES("username",ENCRYPT("password","secretkey"))