Password Hashing
If you are a web developer then you should already be aware of the implications of storing passwords in cleartext in a database. Doing so is one of the largest mistakes that you can make when designing the infrastructure for the site. All it would take is for one account to get compromised, privileges elevated and then an attacker would have the plaintext versions of all users signed up on the site. Imagine the horror!
The PHP Security Consortium has a well written article on using password hashing in web based applications. If you are still storing passwords in cleartext in a database then I highly suggest reading this article and then working on migrating to storing passwords hashes instead. When the inevitable security breach comes to light do not be surprised.
In this article I’m going to cover password hashing, a subject which is often poorly understood by newer developers. Recently I’ve been asked to look at several web applications which all had the same security issue - user profiles stored in a database with plain text passwords. Password hashing is a way of encrypting a password before it’s stored so that if your database gets into the wrong hands, the damage is limited. Hashing is nothing new - it’s been in use in Unix system password files since long before my time, and quite probably in other systems long before that. In this article I’ll explain what a hash is, why you want to use them instead of storing real passwords in your applications, and give you some examples of how to implement password hashing in PHP and MySQL.
In the unlucky event that you are storing cleartext passwords in a database then writing a script to store the password hash instead should be quite easy. Like I said previously, I highly recommend changing your design if you are using this horrible one. You will thank yourself, and this article, in the longrun.