+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: Best Practices (https://forum.codeigniter.com/forumdisplay.php?fid=12)
+--- Thread: clear text password to ? (/showthread.php?tid=79108)
clear text password to ? - richb201 - 04-21-2021
Right now I am using a clear text password. I keep it in mySQL RDS on AWS in a table. I was planning on moving it to use fusionAuth to maintain passwords but I am out of time (and energy) to get that into the code (and fusionAuth is changing their pricing strategy). So I am back to using regular old CI3 code for the time being.
What is the best practice to secure that password and keep it in my mysql table? I have a way for a user to self register and also to reset their password already in the code.
RE: clear text password to ? - InsiteFX - 04-21-2021
Give me a magnifying glass and maybe I can read your post.
RE: clear text password to ? - paliz - 04-21-2021
You are wrong
ci4 is most advance and easy framework ever i ve seen
You build modren apps
RE: clear text password to ? - richb201 - 04-21-2021
(04-21-2021, 03:09 AM)InsiteFX Wrote: Give me a magnifying glass and maybe I can read your post.is that better?
RE: clear text password to ? - albertleao - 04-21-2021
Never ever, ever... ever use clear text passwords.
Did I say ever?
Anyways... if whatever auth framework you're using doesn't support hashing your password, don't use it. If you're rolling your own, please read as much as you can so you know what you're doing. Take a look at the built in php password functions that can use something like bcrypt hashing
https://www.php.net/manual/en/ref.password.php
Did I already mention you should never store passwords in clear text?
RE: clear text password to ? - kleber - 04-21-2021
(04-21-2021, 01:28 AM)richb201 Wrote: Right now I am using a clear text password. I keep it in mySQL RDS on AWS in a table. I was planning on moving it to use fusionAuth to maintain passwords but I am out of time (and energy) to get that into the code (and fusionAuth is changing their pricing strategy). So I am back to using regular old CI3 code for the time being.
What is the best practice to secure that password and keep it in my mysql table? I have a way for a user to self register and also to reset their password already in the code.
I use this script (https://www.openwall.com/phpass) to hash the password and store it in the database. At login, for example, the password sent is also hashed and compared to the passwords already stored.
RE: clear text password to ? - Muzikant - 04-22-2021
The best practice is using strong hash functions and salt. Never use plain text or weak MD5 or SHA1 hash functions. Salting passwords is very important for differentiating possible same passwords. Everything you need is to use these two PHP functions:
password_hash
password_verify
I recommend you to use Ion Auth authentication library for your CodeIgniter 3 project. Do not forget on HTTPS on your web server.
RE: clear text password to ? - InsiteFX - 04-22-2021
Need I say this over and over.
READ:
Implementing Secure User Authentication in PHP Applications with Long-Term Persistence (Login with "Remember Me" Cookies)
RE: clear text password to ? - richb201 - 04-23-2021
OK, OK. I wasn't planning on keeping the clear text passwords! Anyway, I went back to using fusionAuth which, while a little difficult to implement, seems to work pretty well. In it I am using passwordless logins which rely on users keeping their email passwords secure.