Guest Deleted Posted May 28, 2013 Share Posted May 28, 2013 Did any of you guys code sites so that they will rehash a user's password every time they login? I could swear I read about that somewhere, but I can't find it now. Link to comment Share on other sites More sharing options...
HartleySan Posted May 28, 2013 Share Posted May 28, 2013 Never heard of that, but maybe it's out there. It seems to me that if you use something like BCRYPT though, you can never go wrong. Link to comment Share on other sites More sharing options...
Larry Posted May 28, 2013 Share Posted May 28, 2013 I don't think what you're talking about are each-time password hashing but rather single use passwords. A more secure approach some sites are using is to authorize user access for each session, with no password storage at all. Link to comment Share on other sites More sharing options...
HartleySan Posted May 28, 2013 Share Posted May 28, 2013 Oh, that's interesting. How do you go about validating users then? Link to comment Share on other sites More sharing options...
Guest Deleted Posted May 28, 2013 Share Posted May 28, 2013 Well, I'm not sure how it works, but when I make hashes with PHP's new password_hash() function, PHP's new password_verify() function doesn't seem to have any problem verifying them, no matter what the salt is. Here I have password_hash() making hashes with a random salt. password_verify() is checking it just fine. $hash = password_hash("22bubbles", PASSWORD_BCRYPT); print $hash.'<br />'; if (password_verify('22bubbles', $hash)) { echo 'Password is valid!!!!!!!!!!!!!!!'; } else { echo 'Invalid password.'; } It also works when I manually pick a salt: $options = array( 'salt' => 'BCRYPT22CharSaltHere!!' ); $hash = password_hash("22bubbles", PASSWORD_BCRYPT, $options); print $hash.'<br />'; if (password_verify('22bubbles', $hash)) { echo 'Password is valid!!!!!!!!!!!!!!!'; } else { echo 'Invalid password.'; } I'm guessing that password_verify() can somehow determine the salt by looking at the hash. Anyway, I don't know where on earth I heard somebody say that they re-hash user's passwords every time they login, but the way I picture it working is they just run the plain text password through password_hash(), let it give it a random salt, and update the database with the new hash. If you want to play with password_hash() and password_verify(), get this code: https://github.com/ircmaxell/password_compat/blob/master/lib/password.php Or you can get PHP 5.5 but it's still in alpha, I think. Link to comment Share on other sites More sharing options...
StephenM Posted June 20, 2013 Share Posted June 20, 2013 Been busy for a bit there & away for the computer so getting to this thread rather late. Thoroughly enjoyed reading some of the posts on this thread. I'm way off the "entry stage" yet but it is something I regularly think about. Apart from pure programming power, it seems to me like patience, good-timing and perhaps a dash of luck are also useful. Link to comment Share on other sites More sharing options...
HartleySan Posted June 21, 2013 Share Posted June 21, 2013 Yes, I agree. Naturally, it's good to have programming prowess, but I agree that that's not all there is to it. If you work hard, have a portfolio and keep trying though, I think it will happen (or at least, I hope it will happen, as I continue to look for work myself). Link to comment Share on other sites More sharing options...
StephenM Posted June 21, 2013 Share Posted June 21, 2013 Yes, I agree. Naturally, it's good to have programming prowess, but I agree that that's not all there is to it. If you work hard, have a portfolio and keep trying though, I think it will happen (or at least, I hope it will happen, as I continue to look for work myself). echo "If you work hard, have a portfolio and keep trying though, I think it will happen"; Exactly how I think. Link to comment Share on other sites More sharing options...
Recommended Posts