Reputation: 1811
Correct use of crypt?
So after researching this quite a bit I'd like to know if this is the best practices way of doing it or not.
When I send the user's password to the DB I'm doing this:
// DB input:
$mySalt = time(); // generate random salt such as a timestamp
$password = crypt($_POST['password'], $mySalt);
// submit $password and $mySalt to DB here via PDO
And when I go to check the password at login I'm doing this:
// At login:
// retrieve the password and the salt from the DB
if(crypt($_POST['password'], $saltFromDb) === $passFromDb)
// allow login
Would this be the correct way to do that or am I missing something? Thank you for any advice.
Upvotes: 1
Views: 184
Answers (1)
Reputation: 43884
What you need instead is to use the inbuilt salting and hashing functions supplied within crypt. Here is an example using a good hashing algorithm call blowfish (bcrypt): How do you use bcrypt for hashing passwords in PHP?
In this case the slower the algorithm the better.
When getting it from DB you would simply use crypt() to evaluate the entire string to understand if it validates as the correct password etc.
Upvotes: 2
Related Questions
- php encrypting passwords
- How to use crypt() and the password_hash() function together?
- Encryption using crypt()
- How to hash and salt passwords
- Password hashing methods
- Hashing using crypt in PHP
- Where do I hash the password?
- Am I using PHP's crypt() function correctly?
- Am I supposed to store hashes for passwords?
- crypt() function not giving proper hashes