How to store passwords safely with PHP and MySQL

Password storage is an extremely important issue which many webmasters struggle with. I have to say that even in my years online, I have never come across any site that was completely password free. As far as I can tell, the only site which has ever offered a fully password free option (which is still available) is PayPal. But why is password storage such a big problem?

Password storage is not just used by webmasters – anyone who uses a site has to know how to protect their passwords. It’s the web master’s responsibility to create secure passwords. However, how do you protect your password? Many people have discovered that storing a password in their browser cache or using the wrong type of file is the quickest and easiest way to give out your password. Also, there are actually software tools available which allow you to create a password on your own website but they are rather complicated to use, so they tend to be the least popular of all options.

I thought it might be useful to go over how not to store a password and then point readers to some other articles on password security. So here is my first ever article but recently began working on an in depth article dealing with password security and found out that I needed to learn more about the different ways of password storage and so chose to write an article about it. So here is a quick overview of the main methods of password storage and some useful links below the article for those interested in more information. So whether you are running an online business or a personal site, this article should help you understand the importance of password security and how not to store a password in your web browser cache.

How not to store passwords and why.

Do not store password as plain text

This should be obvious. If someone gains access to your database then all user accounts are compromised. And not only that, people tend to use the same password on different sites so those accounts will be compromised as well. Your site doesn’t even need to be hacked; a system administrator could easily browse your database.

Do not try to invent your own password security

Chances are that you’re no security expert. You’re better off using a solution that has been proven to work instead of coming up with something yourself.

Do not encrypt passwords

Encryption may seem like a good idea but the process is reversible. Anyone with access to your code would have no trouble transforming the passwords back to their originals. Security through obscurity is not sufficient!

Storing a password in MYSQL database

There has been a good debate in stackoverflow about it, can’t had much more than that:

https://stackoverflow.com/questions/14798275/best-way-to-store-passwords-in-mysql-database

Be the first to comment

Leave a Reply