Whatever programming language you are using, sooner or later there’s a need of maintaining user credentials for the application which interacts with the end user to store their data. Their username and password are stored in the database, no matter which database. With this piece of information you can authenticate users to use your application.
So the question is how you store and manage user passwords securely. Didn’t you ever face this question? Or do you just choose the function provided by your language to encrypt a password and move on? Wait a minute, you can’t store the users password without knowing the background of storing it. Anyone can breach your application if the passwords are not saved as secured as your money in the bank account.
Let’s understand the techniques behind securing the passwords.
Generally there are two techniques to store your password you might have heard of. Hashing and Encryption. Hashing and encryption both are different approaches that might have made you confused. Let’s see the difference.
Encryption
What is Encryption
Lets say, you want to send a message to your friend and you don’t want others to read it. You will set some kind of password or keyphrase to open the message. You will share the keyphrase to your friend and he can see the message only after putting the keyphrase.
Restricting your message to open by keyphrase or password is encryption and opening the message by the provided keyphrase or password is decryption.
As you might have guessed, encryption is a two-way method. The encrypted string can be decrypted with the proper key. You must have the proper key to encrypt or decrypt the string. Encryption is very useful in the areas other than password. It’s not a good strategy to secure the password. If the database is compromised, there might be very good chances, all user accounts will be compromised.
So how does it work? User enters a password and user id in a browser and sends it to the server. Server encrypts the password using the key and checks with the stored password. If both are the same, the user gets authenticated. If the attacker has the encrypted password, they can easily generate millions of keys to check and decrypt the string.
Hashing
What is Hashing
Take an example of making tea, you add water, sugar, tea leaves, milk and boil it to make tea. Once tea is ready, no one can separate any of the ingredients to know what made this taste . If the quantity of any of the ingredients is changed, it will change the taste.
Hashing works the same way, You can add pieces of information to the algorithm and get the hash. You can not get the added information from the hash. However you can make another hash if anything changes in the information.
Unlike encryption, Hashing is an irreversible, one-way function. It produces a fixed-length string that can not be reversed. There is no way to reverse the hashing process to reveal the original password. You can compare hash against another hash to compare passwords, weather its same or not.
So how does it work? User enters a password and user id in a browser and sends it to the server. Server generates a hash using the same algorithm which was used to generate the first time password and matches both hash. If both are the same, the user authenticated.
Stealing hashed passwords also gives attackers a good chance to reverse the hashing process and get the password because normally people didn’t use a complete random password, they use normal string. Attackers can run millions of common passwords in the hashing algorithm and can get the matching hash (called a rainbow table) with the password hash.
Now which method should we use? Both have pros and cons. Protection against those is to salt the hash. Now you must have heard about salting the password. Let me explain to you how salting works.
Salt the Hash
Before generating a hash, you can add a random number as a salt to each password before it is hashed. The generated hash will be the combination of password and salt. It will not match with the rainbow table. Now the attacker can try random numbers as a salt to the common password to generate hash. But salting makes it impractical to generate matching hash.
You should not use general-purpose cryptographic hash functions like SHA256. You should use a specialized password hashing algorithm, some of them are below.
- Argon2 (available in PHP 7.2 and newer)
- Scrypt
- Bcrypt
- PBKDF2 with HMAC-SHA256 or HMAC-SHA512
PHP provides Bcrypt for you. Let’s dive into the Bcrypt to know how it works.
Hashing password in php using password_hash
Password_hash uses bcrypt which is the strongest algorithm currently php is using. You don’t need to add salt in password_hash as it takes care of password salting for you. The salt is stored, along with the algorithm, as part of the hash. password_verify() extracts this from hash to check the password, so you don’t need a separate database field to store your salts.
<?php
$passwordHash = password_hash('secret-password', PASSWORD_DEFAULT);
if (password_verify('any-password', $passwordHash)) {
// Correct Password
} else {
// Wrong password
}
In above example PASSWORD_DEFAULT parameter specifies that function should use bcrypt algorithm.
I hope this explanation would have helped you to understand encryption, hashing and salting the passwords. As you might have guessed, salting hash is the best option to secure your password. Salt makes everything better, isn’t it?
Each approach has its upsides and cons too, make an informed decision!
