Securely Storing Client User’s Password

I read an nice article here which talking about how we should store client user’s password securely with PHP and MySQL database. Basically the main idea is:

  • Don’t store the password as plaint text (obviously)
  • Don’t use reversible way to process the password such as encryption (so that no one can retrieve the original password even if they know how you process your password)
  • Don’t use MD5 alone to hash and store the password (because of rainbow table)
  • Don’t use a constant salt (because of rainbow table again, if someone know the salt you are using he can generate a rainbow table specially for the salt that you use)
  • Do make your password authentication process takes reasonably long time (to avoid brute force)
  • For extra security, generate the a new salt again each time after the client user logged in

The article has provided a PHP sample code on how to store the password securely using PHP and MySQL. Go take a look if you are lazy to understand what I am talking about.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s