Using hashing to safely store user passwords

Question

Please try to search StackOverflow before asking a question. Many questions are already answered. For example:

• PHP & MySQL compare password
• how do I create a mySQL user with hash(‘sha256’, $salt . $password)?
• Secure hash and salt for PHP passwords
• User Login with a single query and per-user password salt
• Non-random salt for password hashes

Hi

I want that nobody can see my password even in database..

So i used hash function like this

$passowrd_hash=hash('shal',$_POST['password']);

Now easily I can store this password_hash value into database. It will be something like in encrypted form.

Now user know its original password he don't know this encrypted password.

Now if he try to login through this original password..He is not able to login.

So is there any method so that it can be decrypted and user can make log in. So he can achieve both security of password as well as login again.

How to do this?

Answer 1

you need to hash the user input password and compare hashes.

Answer 2

Before comparing the posted password by the user with the one in the database, encrypt the posted password the same way as the stored password.

Answer 3

All you need to do is encrypt the password you type in and compare the two; the hash in the database and the one you just encrypted. If they match then the password entered is the right one. I am assuming you are using an algorithm like SHA1.

Answer 4

As already answered, you need to hash the password every time they re-enter it and compare the hash to what is in your database.

You ALSO should look into using salt in your hashing algorithm. There is a good deal of discussion in this question:

Secure hash and salt for PHP passwords

Answer 5

You dont need to decrypt it. You cannot convert back a hash to a plain text, its a one way function. So, basically you hash the input password and compare the two hash:

E.g (pseudo code):-

if hash(password entered by user) == password stored in databse Then
    //logged in successfully
else
    //login failed
end if

Answer 6

I highly recommend using md5() http://php.net/manual/en/function.md5.php.

When the user signs up, you store:

$password = md5($_POST['password']);

And when the user logs in you check:

if($_POST['password_entered'] == $passwordFromDB) :
    // Log user in
else :
    // Show error to user
endif;