Building a user authorization system in PHP – Part II

Hashing passwords

In the last walkthrough you should have created a script that allows user to enter information in the HTML form and then stores this information in the database. The most obvious security hole is that we store password in the database in plain text. If somebody will be able to get the contents of your database, all user passwords will be in plain view to see.

This part of tutorial helps you learn how to make the passwords more secure. The common practice for storing passwords is storing a hash of a password, which is a scrambled copy of it. There is no easy way to decrypt the password, so this set up is much more secure. You will then compare the hash stored in MySQL with the hash of the user-input password. If both hashes are identical, then the password is correct.

There are 2 basic algorythms: SHA1 and MD5. Because a specific password always corresponds to a specific hash value, the attacker does not need to brute-force the hash to get the underlying password. If you build a database of all possible passwords, you can get the plain-text password by doing a hash lookup in the database. Here is an example: MD5 lookup. As there are no reliable SHA1 lookup services at the moment, it is safer to use this algorythm with some kind of modification (called salt). Here’s the line you need to add to your register.php:

$password = sha1(sha1($password).”mysecretcode”);