Today I am going to be talking about storing passwords in a database.
It is all to easy to fall prey to thinking that just because you utilize an SSL certificate that your clients passwords are safe from prying eyes. But what if someone gets access to your database?
One of the most overlooked areas in an organizations security infrastructure is backups. Including backups of MySQL databases. All it takes is one disgruntled ex employee or clever hacker for all of your data to be out there for the world to see.
An easy way to protect passwords is a one way hash. Lets be honest here, there is no reason for you to ever be able to see your clients passwords.
Before you save a new clients password to the database simply run it through a one way hash. For added security you can also add a salt value to the hash like so.
// here we set a global salt value for our site
define('SITESALT', 'YAWRIFJW');
// this function prepares a password for insertion into the database
function getEncryptedPassword($password) {
return sha1(SITESALT.$password);
}
// now we call our function
$secure_password = getEncryptedPassword($plain_password);
This same code can also be called when a client logs into the system for comparison. This way if anyone ever gets access to the data, they won't be able to just view all of your clients passwords.
No comments:
Post a Comment