Welcome Guest, Not a member yet? Register   Sign In
clear text password to ?
#1

(This post was last modified: 04-21-2021, 07:21 AM by richb201.)

Right now I am using a clear text password. I keep it in mySQL RDS on AWS in a table. I was planning on moving it to use fusionAuth to maintain passwords but I am out of time (and energy) to get that into the code (and fusionAuth is changing their pricing strategy). So I am back to using regular old CI3 code for the time being.

What is the best practice to secure that password and keep it in my mysql table? I have a way for a user to self register and also to reset their password already in the code. 
proof that an old dog can learn new tricks
Reply
#2

Give me a magnifying glass and maybe I can read your post.
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply
#3

You are wrong

ci4 is most advance and easy framework ever i ve seen
You build modren apps
Enlightenment  Is  Freedom
Reply
#4

(04-21-2021, 03:09 AM)InsiteFX Wrote: Give me a magnifying glass and maybe I can read your post.
is that better?
proof that an old dog can learn new tricks
Reply
#5

(This post was last modified: 04-21-2021, 10:17 AM by albertleao.)

Never ever, ever... ever use clear text passwords.

Did I say ever?


Anyways... if whatever auth framework you're using doesn't support hashing your password, don't use it. If you're rolling your own, please read as much as you can so you know what you're doing. Take a look at the built in php password functions that can use something like bcrypt hashing

https://www.php.net/manual/en/ref.password.php


Did I already mention you should never store passwords in clear text?
Codeigniter is simply one of the tools you need to learn to be a successful developer. Always add more tools to your coding arsenal!
Reply
#6

(04-21-2021, 01:28 AM)richb201 Wrote: Right now I am using a clear text password. I keep it in mySQL RDS on AWS in a table. I was planning on moving it to use fusionAuth to maintain passwords but I am out of time (and energy) to get that into the code (and fusionAuth is changing their pricing strategy). So I am back to using regular old CI3 code for the time being.

What is the best practice to secure that password and keep it in my mysql table? I have a way for a user to self register and also to reset their password already in the code. 

I use this script (https://www.openwall.com/phpass) to hash the password and store it in the database. At login, for example, the password sent is also hashed and compared to the passwords already stored.
Reply
#7

(This post was last modified: 04-22-2021, 07:50 AM by Muzikant.)

The best practice is using strong hash functions and salt. Never use plain text or weak MD5 or SHA1 hash functions. Salting passwords is very important for differentiating possible same passwords. Everything you need is to use these two PHP functions:
password_hash
password_verify

I recommend you to use Ion Auth authentication library for your CodeIgniter 3 project. Do not forget on HTTPS on your web server.
Reply
#8

Need I say this over and over.

READ:

Implementing Secure User Authentication in PHP Applications with Long-Term Persistence (Login with "Remember Me" Cookies)
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply
#9

OK, OK. I wasn't planning on keeping the clear text passwords! Anyway, I went back to using fusionAuth which, while a little difficult to implement, seems to work pretty well. In it I am using passwordless logins which rely on users keeping their email passwords secure.
proof that an old dog can learn new tricks
Reply




Theme © iAndrew 2016 - Forum software by © MyBB