We all know storing passwords in clear text in your database is rude. Yet, many do it because it makes a website easy for testing or password recovery. Programmers often don’t hash passwords because we are lazy. But, I’m developing a WordPress security product. So, I should make an effort to securely hash passwords. It’s just polite really. I know many of my users will set their password as Password1, but even so, I’d like to hash passwords. However, again I’m a lazy programmer, so I went to PHP.net to grab some code to steal for this. I thought I’d be done in 10 minutes.
It didn’t take 10 minutes.
Instead I found the PHP man pages for storing passwords to be confusing, cryptic (haha get it?), and full of esoteric comments that are hard to understand. I don’t really care about the minute differences between protocols, but I found that I shouldn’t use md5. I just wanted some sample code that works. I love the PHP manual, but when it comes to passwords the man page left me with more questions than answers. So, I read through everything on StackExchange, and a few good blogs. I turned what I learned into some code so that you don’t have to read them.
Here’s the short version of what you need to know:
- Hash your passwords with something other than MD5 (Bcrypt or Sha2).
- Don’t invent your own algorithm. You will fail.
- Use a unique, random salt for each password and store both the salt and hash.
- Salt does not have to be secret. Each salt has to be unique so the hashes are unique.
- Algorithms won’t fix bad passwords.
Fork the code on Github.