Hi peeps,
In every web developer’s life the times come when you have to build a web application that requires user authentication. It just can’t be avoided. Therefore, it’s more likely that you’ll want to keep prying eyes from accesing some sensitive data like passwords, credit card information (online stores are a good example), etc. I’m going to show you a simple way to protect your passwords using PHP and MySQL.
What is password hashing?
Before we get started, I believe it’s a good idea to clear some things up. What is a hash? Think of it as a digital fingerprint of a piece of data. It’s a procedure for turning any kind of data into a much smaller integer (it’s fingerprint).
Beware: encrypting and hashing are not the same. With encrypting you can reverse the data into it’s original form (decrypting). However, it’s near to impossible to reverse hashed data into it’s original value.
Hashes and some Salt, please
However, just hashing your password won’t do the trick. Why? Hashed data can be cracked by brute forcing: your attacker can generate hashes of potencial passwords (eg. a dictionary attack). The resulting hashes are compared to what you have in your database and if any match is found then your password has been revealed.
This weakness can be overcome by adding a random string into our hashing algorithm. This is what we do: before hashing our password we’ll create a random string (a.k.a Salt) and prepend it to our plain text password. Finally, apply some hashing to our salted password 
That should make our password secure enough and virtually impossible to crack with conventional methods.
Enough of theory! Our example
Let’s imagine that we have a MySQL table called User. This table has the following fields: ID, username, password, salt (we’ll need this field later!).
Now, we’re going to build up our hashing algorithm:
This function will handle two situations:
- if no $salt string is provided then we create a new one. That means that someone is registering.
- we recieved a salt string. That means that someone is trying to log in.
The registration system
This is our registration script:
sql($query); ?> |
A little explanation: we proceeded to apply some hashing into our password. The function generateHash() didn’t recieve a predefined $salt variable so it must create one on it’s own. Next, we’ll extract the salt from our $hashedPassword (we appended it at the beggining of the string, remember?). Finally, we’ll use the strlen() function to remove the salt from our hashed password.
Our login script
This is the script we’ll be using to process the authentication request:
sql($query); $salt = $db->fetch($result); // let's hash the $password and compare it to what we have in the database $password = sha1($salt . $password); // this should make it identical to our hashed password... $query = "SELECT password FROM User WHERE username = '$username' " $result = $db->sql($query); if ($db->fetch($result) < 1) { // wrong password!! echo "Error: wrong username/password combination!"; } else { echo "Welcome " . $_POST['username']; } ?> |
A brief explanation: first, let’s retrieve the salt used to secure our member’s password. Next, add that salt to the password submitted by our friend and apply SHA1 to it. Finally, we’ll compare our password with the one provided by the visitor to see if they match. If they do, we’ll grant access to our visitor. However, if our visitor’s hashed password doesn’t match with ours then let’s display an error message.
Final Words
As you can see this is a simple example. No validation procedures were included in it so I strongly recommend you add your own custom validation algorithms in your php scripts to handle all the possible errors that might arise.
If you find anything that should be added/fixed/improved please feel free to leave me a comment.
Oh, and if you liked my tutorial please don’t forget to Digg it 
Good Blog. I will continue reading it in the future. Nice layout too.
Aaron Wakling
Aaron Wakling
April 7th, 2008
Thanks for your comments, Aaron
Ikki
April 7th, 2008