So I’m in the process of learning PHP and am working on a login page. I already figured out how to register a new user using a SHA256 to hash $salt+$password. I know there are slower encryption methods like bcrypt but for learning purposes I’m just using SHA256. My question is, after using this to encrypt:
function HashPassword($password) {
$salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));
$hash = hash("sha256", $salt . $password); column
$final = $salt . $hash;
return $final;
}
using prepared statements, what is the best way to retrieve the hash password from the database so I can validate it using a function like this?
function ValidatePassword($password, $hash_pass) {
$salt = substr($hash_pass, 0, 64);
$trueHash = substr($hash_pass, 64, 64);
$reHash = hash("sha256" , $salt . $password);
return $reHash == $trueHash;
}
You basically save the password hashed with a salt to make it not recognizable.
In case your database gets hacked at some point, the hacker can’t read the password directly. Instead he will have to recreate the hashed value.
If you don’t use a different (random) salt for each user, the hacker will only have to create one table with all possible hash values and compare that to your saved hashed passwords.
If each password, however, has a different salt added to the password, before hashing, the hacker has to create a new table for each single password, thus increasing the effort needed to get the real passwords a lot. One hopes that this will make in inefficient or too costly for the hacker.
For you as a coder that wants to validate login credentials you have to follow the following pattern:
hash = salt + passwordhash === savedHash