I know this is a topic talked about a bit, but I want to ask specifically about my application. It's also worth mentioning that I'm fairly new to PHP, and have been learning as I go.
So I wrote a seemingly basic CRUD application, using PHP and MySQL. All of my code is using mysqli_*, and I've tried to use best practices where I could. One thing I have done that most people frown upon is using MD5 to hash my passwords. I think I understand the purpose of using SHA1, as it's supposed to require more cycles than MD5 to hash/unhash, and the salt is supposed to prevent the use of rainbow tables. bcrypt is a newer hashing algorithm, requiring even more cpu cycles than SHA1. At least I think this is how everything is.
It's my understanding that you hash/salt passwords, so if someone gains access to your users table in your database, they don't see your users passwords in plain text. Right?
With my application being a somewhat basic CRUD system (inventory tracking for a small business, with multiple users and definable locations), if someone was to gain access to my users table and see these MD5 hashes, they could easily reverse that into readable passwords and log into my system. However, if they gain access to my database and see my users table, then they could easily see my inventory table, and products table, and all the other tables in the database, getting the data without needing to log into the application. Currently, my web server has PHPMyAdmin and Webmin (with the MySQL module) so if they gain access to either of those, they can see the data in the database and not be concerned with logging into the system itself.
With this in mind, what would be the best practice in this case? I have typical security on my web sever already, such as preventing root SSH access, iptables, etc., but as far as password hashing, should I bother upgrading my code to use bcrypt instead of MD5? Is upgrading to use bcyrpt from MD5 an easy process to do, or would I have to re-engineer how my login system works?
Thanks!
From PHP.net
$hashed_password = crypt('mypassword'); // let the salt be automatically generated
/* You should pass the entire results of crypt() as the salt for comparing a
password, to avoid problems when different hashing algorithms are used. (As
it says above, standard DES-based password hashing uses a 2-character salt,
but MD5-based hashing uses 12.) */
if (crypt($user_input, $hashed_password) == $hashed_password) {
echo "Password verified!";
}
Doesn't look that hard, right? That in mind, passwords aren't the biggest vulnerabilities out there, it takes significantly more time to protect a site from all those XSS, CSRF and other neat stuff like that.
In other words, it isn't all that huge vulnerability, but if security is your first and foremost concern, go for it.
You should definitely switch to BCrypt, since MD5 is ways too fast and therefore can be brute-forced easily. You can calculate about 8 Giga MD5 hashes per second, that means you need only a fraction of a milisecond to try a whole english dictionary.
The best you can do is to use the new PHP function password_hash() to create a BCrypt hash.
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
There exists also a compatibility pack for earlier PHP versions.
Having read access to the database (SQL-injection), does not mean that an attacker has full control of the server and can manipulate things.