Reputation: 471
Can I store sha256 hashed passwords in plain text?
So I have php code which saves a hashed version of a password to a file called passwords.txt. As it currently stands, anyone who knows the directory of the file (www.example.com/datacache/passwords.txt) can access it. Is this the incorrect way of doing it? I thought I followed the guide to correct password treatment to the letter, but this seems oddly insecure. Thoughts? Suggestions?
Thank you!
Upvotes: 1
Views: 2990
Answers (2)
Reputation: 24071
Actually there are two questions here:
1) Is it ok to store the hashes in a file
Saving passwords in a file is not better or worse than storing it in a database. The point with a file is, that it should be stored outside of the WWW root directory. Most providers offer a private directory, which can be accessed by code, but canot be reached for HTTP requests.
2) Is it safe to use SHA-256 for hashing passwords
No SHA-* and MD5 should not be used directly to hash passwords, because they are too fast and therefore can be brute-forced too easily. Instead one should use a slow function like BCrypt, PBKDF2 or SCrypt, they offer a cost factor and add a safe salt automatically.
PHP offers a password API with two functions password_hash() and password_verify(). Use them, they are future proof and will produce BCrypt hashes.
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_DEFAULT);
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
If you're running an old version of PHP that doesn't have this API, upgrade. If for some reason you can't, check out password_compat.
Upvotes: 1
Reputation: 366
Ideally you'd save them in a secure SQL database, or something of that description; hashing is supposed to be a second line of defence.
So if your database data gets breached and a hacker gets a hold of it, they won't be able to log on to everyone's account.
Usually the process with any type of Hash is that, once it's brought out, it would be the most secure it will ever be, and then gradually over time, with the collection of people and increased computer power, the hash will be "broken" usually through a collection of Rainbow tables, and will end up with a website such as THIS which is what happened with Md5.
If you are going to store them in a .txt file, the minimum you can do on top of what you've already done, is to make sure you SALT the hashed password. Salting a hashed password decreases its chance of being cracked. Please refer to links below on how you would go about Salting your hash.
Great video by Computerphile on YouTube about the topic
Good tutorial by CrackStation on how to Salt a Hash
Good examples by W3Schools on Hashing/Salting
Upvotes: 0
Related Questions
- Is it secure to store passwords as environment variables (rather than as plain text) in config files?
- Convert passwords with sha256 to sha256 + salt
- Two-way encryption: I need to store passwords that can be retrieved
- How can I store my users' passwords safely?
- Best practice for hashing passwords - SHA256 or SHA512?
- Migrate from SHA256 hashed passwords to BCRYPT in PHP7+MySQL
- PHP echo only echoes hashed passwords, and matching password to username from txt file