Methods for storing login information in database_问答_开发者

Methods for storing login information in database

开发者 https://www.devze.com 2023-03-21 01:30 出处：网络

What is the best way to store login information into database? I know that storing plane text pass开发者_运维问答word is not at all suggested. What are the other methods?

What is the best way to store login information into database? I know that storing plane text pass开发者_运维问答word is not at all suggested. What are the other methods? What functions in PHP are available for storing and authentication of login information if hash values of the password is used?

I am using PHP, MySQL, Apache server on Windows machine.

There are two camps in this security discussion:

Don't store the passwords in your DB. This usually means leveraging OAuth or equivalent. You will need to store a 'token' that uniquely identifies the user. This 'token' is provided by the authentication service that you select. The service also provides the authentication.
Store a hash (not reversible) transformation of the password in the DB. Then the authentication process is to compare the hashed version of the provided pword with the one in the DB.

There are complexities that should be considered depending upon your security consideration. I think the minimum should be a salted password implementation. This is typically something like:

$hash = sha1(saltThePword($pword));

where

function saltThePword($pword)
{
    // combine the password with a salt.
    // typically:
    //   $pword.$salt
    //   $salt can be static
    //   $salt can be unique to user (reproducible by a formula)
}

Hope this helps.

Bob

PHP gives you md5(), sha1(), and more. A typical hashing technique is to add a "salt" to your plain text password to make it more difficult to brute force.

$pass = 'password';
$salt = 'aLongStringCalledASaltIsOftenUsedToMakeHashingMoreSecure';
$hash = sha1(md5($salt . $pass));

Save password like string md5('password') and when u will be check user authorization u use a query

$res = mysql_query("SELECT id, login, name FROM user WHERE login='".mysql_real_escape_string($login)."' AND password='".md5($password)."'");

I like using sha2 for my encryption algorithm, also make sure your salt is in a safe place and not in your database under a column or table named salt.