By: Bryan Nielsen
When a web site requires user authentication for administrators or membership users it is necessary to store user names and passwords on the web server for each user. The user names and passwords are normally stored in a text file or a database table on the web server.
Securing these stored user names and passwords is a critical task in web site development that starts with restricting access to the file or database table that contains the user names and passwords, however, securing the records should not stop there. Stories in the news of leaked user information from web sites is very common and passwords that are saved in plain text provide immediate access to user accounts to anyone who obtains the leaked user name and password information.
A common method of securely storing passwords is to use a one way hash of the password text using the PHP crypt() function. The hash from the password appears to be a random string of characters and cannot be converted back to a plain text password which is why it is called a one way hash.
Instead of storing the plain text password in the user file or database table a one way hash is stored. The one way hash provides a barrier to unauthorized web site access even if the information is leaked because the hash by itself cannot be used to access a user account.
Authentication Against Hashed Passwords
When using one way hashed passwords the authentication process is similar to plain text password checks but requires one additional step. When a user enters their password it must be hashed first and the resulting new hash is compared to the saved hash value to see if they match.
Hashing Algorithm and Salt
When the original password was hashed using the crypt() function no algorithm or salt was specified so the PHP function will automatically select the hashing algorithm and generate the salt. When producing a password hash to test a password for authentication the same hashing algorithm and salt must be used.
(NOTE: In future versions of PHP the salt for the hashing algorithm must be specified or PHP will generate an error! Please review the PHP documentation before utilizing the crypt function.)
The algorithm and salt used for the original password hash are stored in the hash value itself, so we can use the supplied login password and the original hash value in the crypt() function to generate a matching hash if the password entered by the user is correct.
If the password provided by the user is correct then the crypt() function will produce a matching hash value based on the algorithm and salt specified in the original hash. If the user enters a bad password then the resulting new hash will not match the original hash value even though the same algorithm and salt are used.
Using a one way hash to protect user passwords in the event of a data leak will provide a significant barrier to further unauthorized access by protecting the passwords, however, it is still important that your user's provide strong passwords.
While the one way hash does provide a significant barrier to password exposure in the event of a data leak it is still possible to break the one way hash using brute force or a hash library if the original user password is weak. A hacker who collects the user information with hashed passwords can easily process common words and phrases through the crypt() function on their own system and note any matches.
By using passwords that include random characters, numbers and other characters the resulting hash will be less susceptible to a dictionary or brute force attack in the event of a data leak.
Crypt Password Example
A simple one page example script is provided in the demos to demonstrate how the crypt function can be used to hash passwords and perform authentication. The demo can be viewed here
You will need to download the source code for the example to review the code and get a better understanding of the methods used. The sample code is available from the downloads section here