Security article: Password security in PHP
This article will deal with password security. Especially, passwords of your web site's (or program's) users. Although the title of this posts suggests it only applies to PHP scripts, it can in fact be used for and programming or scripting language (except the PHP examples, or course).
On many web sites, visitors can register themselves, for example to be able to post on the forums or place comments. These users have to fill in a password, that allows only them to log in with that specific name on that specific user account.
But, how is this password stored? There are basically three methods, ranging from dumbest to smartest:
- Clear text, the password directly into the database or other storage medium;
- Encrypted, the password encrypted with an algorithm (e.g. AES), with a key;
- Hashed; a one-way hash (e.g. MD5, SHA1).
As you might suspect, storing the password as clear text is the most idiotic thing you can do! Imagine a hacker breaks into your database; he instantly has all passwords for all users on your web site. Is that what you want? I think not.
Option two is storing the password as encrypted text. This requires an encryption algorithm, such as Advanced Encryption Standard, and a key. This requires the key to be stored as well, and no matter how good you put it away. On the other hand, it allows you to decrypt the password and use it for verification. And you can give them their original password when they've lost it. But this still isn't the best solution. See option three.
Option three: hashes
The third option is in my opinion, and that of a lot of people who know, hashing. A hash is, according to Wikipedia:
A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the (cryptographic) hash value, such that an accidental or intentional change to the data will change the hash value. The data to be encoded is often called the "message", and the hash value is sometimes called the message digest or simply digest.
So, a hash is a string that is based 0n the original text. This is handy, as it is almost impossible to reverse the hash, so the password is safe. And when you need to check a password, you simply hash the inputted password too and compare.
What kind of hash functions are there? Basicly, the following two are the most used:
- MD5
- SHA(1)
MD5
MD5 stands for Message Digest 5, and has been developed by Ron Rivest in 1991 to replace MD4. How can you use it in php?
// Method one $hash = md5("password"); // Method two $hash = hash('MD5', "password");
This results in a 32-digits hexadecimal string, for example 5f4dcc3b5aa765d61d8327deb882cf99. This is always the same for the same string. This provides a great method for password saving, because the password can never (or, with extreme difficulty) be reverse-engineered. When you need to check a password, you simply hash that too, and compare the strings.
SHA1
SHA1 is another cryptographic hash function. According to Wikipedia:
The SHA hash functions are a set of cryptographic hash functions designed by the National Security Agency (NSA) and published by the NIST as a U.S. Federal Information Processing Standard. SHA stands for Secure Hash Algorithm.
SHA1 generates a hexadecimal string of 40 characters, instead of the 32 of MD5. SHA1 is considered more secure. Using this in php is not more difficult:
// Method one $hash = sha1("password"); // Method two $hash = hash('SHA1', "password");
This generates the has, for example 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8.
This is it for now. I'll write an article about cracking hash ciphers in the furure, which is mainly brute-forcing. Bye-bye.