Skip to content

Dealing with Passwords the Right Way

At some point in time, every web developer is going to have to deal with user’s logging into their application. This means storing the user’s username and password in a database, right? Wrong. There is absolutely no need to store a password. Ever. End of story.

So how do we verify that the user has entered the correct password? It’s actually very simple. Instead of storing the user’s password, one should store the SHA-2 or MD5 hash of their password. Hashes are a form of one-way encryption that produce unique output for different inputs. That is, “Red123” would produce a different hash than “red123”, or even “R ed123”. By comparing the hashes, you can ensure that your user is entering the right password, while protecting their password in the case that your database is stolen.

In PHP, these hashes are really easy to produce. For MD5, its as simple as:

$hash = md5($input);

For SHA-2 (technically SHA-256), there’s a little more typing, but not much.

$hash = hash("sha256", $input);

Using $hash in your SELECT and INSERT SQL statements, instead of $input, will secure your data and keep users happy.

Plus its just good form.

Published inInternetSecurity