How do I encrypt user passwords for forum registration?
What is the most secure way to encrypt user passwords for phpBB or MyBB registration? I don't want anyone to be able to access the passwords of users, even those who administer the MySQL database, or if someone manages to hack into the database so that they cannot be viewed. I only want users to log in to find out their passwords.
source to share
I totally agree with Federico Razzoli's answer except for one thing. Indeed, hashing should be done upstream, not at the database level anyway (so your question is probably off topic).
However, simply using a hash function is not sufficient from a security standpoint. You are still vulnerable to dictionary attacks , rainbow table attacks, and some frequency analysis attacks. It is important to at least use cryptographic salt .
However, it is best to use the key derivation feature for storing passwords. I suggest you look at PBKDF2 ( hash_pbkdf2
with PHP), bcrypt ( password_hash
with PHP, which uses a sane algorithm by default, bcrypt currently) or scrypt .
Finally, your question suggests that you are using phpBB, this forum mechanism usually has to deal with securely storing passwords.
source to share
You can use SHA512.
I see that you have used the "mysql" tag. Please do not use SHA2()
SQL function or any other SQL hash function. If you do this, simple strings will be sent over the network and probably written in some logs.
Use a PHP function instead hash()
and specify 'sha256'
as the first parameter.
source to share