Home/ Questions/Q 8252983
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-08T00:43:01+00:00

I am training to secure the login process. I have used sha 256 in

  • 0

I am training to secure the login process.

I have used sha 256 in the sign_up.php:

$username= check_input($_POST['username']);
$password= check_input($_POST['password']);
//the password is encrypted in sha256
$secure_sign_up_password = hash('sha256', $password);

and then of course in my users table in my SQL database, I can read:

  • in the column ‘login’ the actual typed login
    example: if somebody type ‘michael’, I will see ‘Michael’ in the SQL database

  • in the column ‘password’ the actual typed login
    example: if somebody type ‘fruit’, I will see the hashed value like ‘e8bfab56c53980cd014206c8da2f8c9b9708eaacc61’ in the SQL database

My question is simple but maybe a bit naive (I’m a newbie): I thought that I could still be able to read the actual password somewhere in my database and that hashing was only made to protect the password from getting intercepted and read while it was being sent. I never know, somebody might ask me to send him his real password. But the only thing I can see is the ‘hashed’ one in the password column.

  • Is it made to be like this?
  • Is it possible to visualize also the real password?
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team
    1. Never never never hold password in open format in database. If someone find exploit in system, he will be able to make any sql query and get users passwords. And hacker will be able to login into system as user, because he knows username and password
    2. If user want restore password, make functionality for regenerating password. Never store password in plain text.
    3. SHA256 is hash function. Mathematically it means – data can be “hashed” only in one way. I mean, that from hash you cannot restore data. You can read this http://en.wikipedia.org/wiki/Hash_function about hash functions and this about http://en.wikipedia.org/wiki/Sha256 sha256
      Result: If someone crack you database and get username and password, he is unable to login into system. Because hacker have only hash data and can’t get exactly password for login.
    4. As i mentioned before, hash function can be “hash” data only in one way. But some hackers build VERY big data massive for some predefined algorithms. I mean, that they build hash tables for passwords. Such hash tables looks something like this:
        password    hash
    ------------------
    a           some_hash1
    b           some_hash2
    ...         .....
    qwerty      some_hash3
    some_data   some_hash3 -- yes, data can have collisions. See wiki about hash functions

    And if hacker hacked you database and have such table, he able to restore password. For example, hacker get for admin user hash “some_hash3”, then hacker search such hash in hash table, find that hash “some_hash3” have password “qwerty” and “some_data” and hacker will try to login with such passwords.
    Result: Use salt. For nowadays hackers have such tables for 6 symbols passwords. But you can “suck” them in very simple technic: When you store password in database, add to password some value (salt) and get from such value hash:

    // somewhere in code, where creating/updating users password

$password = hash('sha256', $salt.$password);

    and when you will check password, use the same logic

    Thanks

    • 0