Servage Magazine

Information about YOUR hosting company – where we give you a clear picture of what we think and do!

Storing usernames and passwords securely

Tuesday, November 4th, 2014 by Servage

images (1)

The security for the data of web users is very important. Many data transfers include sensitive data, which may cause harm, if publicly known. This includes private and contact information, but especially passwords and payment data. I strongly recommend that you test and make sure, that any such transfers between your site and your users is protected accordingly using a SSL connection.

When it comes to data storage, it is strongly recommended that you make sure to use proper encryption for sensitive data, and in this article we are going to have a look at a good solution for storing user passwords securely. MySQL is the natural way to store usernames and passwords- but we don’t want to store the passwords as clear text, because our website could be compromised if the database was accessed by a hacker. Instead, we’ll use a neat trick called a one-way encryption. This type of encryption is easy to use. Simply said, you convert a string of text into a seemingly random string. Due to the one-way nature, such encrypted strings are virtually impossible to reverse, so their output can safely be stored in a database – and anyone who steals it will most  likely not be able to reverse the strings to the original passwords. The particular function we’ll use is called md5. You pass it a string to hash, and it returns a 32-character hexadecimal number. Use it like this:

$token = md5('mypassword');

The $token value looks the following:

34819d7beeabb9260a5c854bc85b3e44

Also available is the similar sha1 function, which is considered to be more secure; it has a better algorithm and returns a 40-character hexadecimal number.

Salting

Unfortunately, md5 on its own is not enough to protect a database of passwords, because it could still be susceptible to a brute force attack that uses another database of known 32-character hexadecimal md5 tokens. Such databases do exist, as a quick Google search will verify. Thankfully, though, we prevent such attempts from succeeding, by salting all the passwords before they are sent to md5. Salting is simply a matter of adding some text that only we know about to each parameter to be encrypted, like this:

$token = md5('saltstringmypassword');

In this example, the text “saltstring” has been prepended to the password. Of course, the more obscure you can make the salt, the better. I like to use salts such as this:

$token = md5('hqb%$tmypasswordcg*l');

Here, some random characters have been placed both before and after the password. Given just the database, and without access to your PHP code, it should now be next to impossible to work out the stored passwords.

With the tremendous rate at which computer processing speed is increasing, MD5 strings are beginning to enter the realm of being potentially crackable in a time frame of weeks (rather than years) for shorter seed strings. This is the reason the SHA1 algorithm was developed—it is much harder to crack than MD5 and returns a 40-character hexadecimal string. To future-proof your code, you may wish to use the PHP sha1 function instead of the md5 function. (If you store SHA1 values in MySQL, make sure the field width is set to 40 characters). For more advanced functions with even stronger encryption, I recommend you investigate the PHP crypt function using the CRYPT_BLOWFISH algorithm.

Sources for further reading

Storing usernames and passwords securely, 4.5 out of 5 based on 4 ratings
Categories: Business, Software & Webapps

Keywords:

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

No comments yet (leave a comment)

You are welcome to initiate a conversation about this blog entry.

Leave a comment

You must be logged in to post a comment.