+ 2

How encode a password nowadays?

If a user creates a account what I have to do on server side? 1. encode password 2. store user data and hashed password in the database How do I step 1 and 2 with today's standard? And now the user wants maybe see his/her profile How I check if the user has the permission to this profile? Did I decode the password and check if the password are equal? I heard about token's but I do not know exactly what they are. How can I use token's for that or is that not a good way?

25th Apr 2018, 3:04 PM
Stefanoo
Stefanoo - avatar
6 odpowiedzi
+ 5
Rule NO. 1 👆 Never encode or encrypt user password as the process is reversible by anyone who can read it and thus reveal the secret. You may go ahead and study about the difference between encode, encrypt and hash. Regarding your 2nd enquiry for access right, you may study about authentication and authorization. I'm happy to show you the way so please do your best too and let us know if you find any concept that requires further clarification. 😉
25th Apr 2018, 3:12 PM
Zephyr Koo
Zephyr Koo - avatar
+ 3
Boem Shakalaka hash the password direct in frontend is a good tip thx for that
25th Apr 2018, 5:50 PM
Stefanoo
Stefanoo - avatar
+ 2
ah okay thank you both i think i have now much to google :D
25th Apr 2018, 3:18 PM
Stefanoo
Stefanoo - avatar
+ 2
thats true Schindlabua i think i use sha512 php has a function for that $salt = 'some random chars'; $password = 'test123'; hash('sha512', $password.$salt);
25th Apr 2018, 5:07 PM
Stefanoo
Stefanoo - avatar
+ 2
To summerize the above answers: 1. Use hashing for passwordstorage, NEVER store a password plaintext. Just store the hash. (And Google for salt password protection, Stefanoo demonstates it already, it is used to randomize the hash more) 2. Hashing comes in many forms, you want to use a unkeyed cryptographic hashalgorithm like SHA-2 or SHA-3. 3. Don't use MD5!! Maybe SHA 1 is still pre-image resistant but i wouldn't recommend using it. 4. When a user fills in a password in a website, hash the password and send the hash to your back-end (!). 5. Hashing and encryption are different things. Encryption is meant to be reversible (Google on RSA-encryption), hashing not.
25th Apr 2018, 5:21 PM
***
*** - avatar
+ 1
I just want to add that MD5 and SHA1 are insecure and have been broken, SHA256 is considered safe I believe. Crypto is pretty hard, you should probably not try to build it yourself and use software by the experts instead!
25th Apr 2018, 4:51 PM
Schindlabua
Schindlabua - avatar