I'm developing a website for a company, and they require login verification in order to use some of the services that this company provides. Using common sense, I know that I need to encrypt the user's password when saving it to a database. Not a problem, I can simply implement a hashing algorithm and store the hash (or something, I still need to troll StackOverflow to figure out the best way to save this information, but that's not what I'm asking).
What I'm curious about is how to actually execute the encryption algorithm. Is that a stand-alone program on the server that will encrypt the password and then store it? Or would I have to use a PHP module to encrypt the password? Or is it something else that I'm not thinking of?
Any and all answers are appreciated, and if I worded anything poorly, I'm counting on you to call me out on it ;)
PHP's built in hashing methods works well. No need to call inn third party libraries.
You should take a look at the hash() function. Remember to use a strong salt when saving the hash. There should be plenty of good articles around the internet about this, and also here.
As pointed out by drrcknlsn in a comment, md5 and sha1 would bad choices since they are considered broken.
Also, as Grexis points out in his answer, PBKDF2 is also one method the you could look into.
I realize that this question has already been answered, but here is a hashing function that I use. It's a PHP PBKDF2 Implementation (described in RFC 2898):
public static function hash($p, $s, $c = 5000, $kl = null, $a = 'sha256'){
$hl = strlen(hash($a, null, true));
if(is_null($kl)) $kl = $hl;
$kb = ceil($kl/$hl);
$dk = '';
for($block = 1; $block <= $kb; $block++){
$ib = $b = hash_hmac($a, $s.pack('N', $block), $p, true);
for($i = 0; $i < $c; $i++)
$ib ^= ($b = hash_hmac($a, $b, $p, true));
$dk .= $ib;
}
return substr($dk, 0, $kl);
}
More information here: Encrypting Passwords with PHP (The function above is only slightly modified from this location to provide default values)
