I read an nice article here which talking about how we should store client user’s password securely with PHP and MySQL database. Basically the main idea is:
- Don’t store the password as plaint text (obviously)
- Don’t use reversible way to process the password such as encryption (so that no one can retrieve the original password even if they know how you process your password)
- Don’t use MD5 alone to hash and store the password (because of rainbow table)
- Don’t use a constant salt (because of rainbow table again, if someone know the salt you are using he can generate a rainbow table specially for the salt that you use)
- Do make your password authentication process takes reasonably long time (to avoid brute force)
- For extra security, generate the a new salt again each time after the client user logged in
The article has provided a PHP sample code on how to store the password securely using PHP and MySQL. Go take a look if you are lazy to understand what I am talking about.