It is easy to do password security wrong
in any language. PHP makes it very easy to do this right
, but yet (partly due to very old tutorials) many do this the wrong way, and the end result might be totally insecure. This is how it is done the right way:
Hash passwordsDo NOT hash passwords yourself
, PHP has a built-in function that does everything for you in a secure manner - password_hash:
$password = "asdf123";
$secret = password_hash($password, PASSWORD_BCRYPT);
//Store $secret in database
The password_hash will use a secure hash algorithm as well as seed it with a cryptographically secure pseudorandom salt. It will then return this information (hash + salt) in a single string suitable for storing with the user's record in the database.
Again - do NOT verify the password yourself
, PHP has a built-in function that does this for you in a secure manner - password_verify:
if (password_verify($password_entered, $stored_secret))
//Password not OK
Simple and secure!
NB. Also do not forget to use the function password_needs_rehash when authenticating users. This enables you to update algorithms as the currently recommended standards changes.