Rehash a password

This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

  • Very often i see PHP codes that uses MD5 hashing or don't use salts on there user passwords. Sometimes this can be a big security issue. Rainbow tables can crack a normal MD5 password most of the time. Therefor we want to secure our password with a better hash and secure them with a salt.

    A salt is a random string that you paste at the end of an user his or her password before you save it to the database. This makes the password more unique.

    This week i wrote a script that will make the process of rehashing passwords more easy. In this tutorial i will explain what the script does.

    The main purpose of the script; You include the class to your code. When you did this you will need to set some settings. After that you're ready to use the Class. Then the script will do all the hashing of the user passwords.

    First you want to set the current hash you're using. Most of the time this will be MD5. The second this you want to set is the new hash you want to use. I recommend SHA256. The next thing you want to set is the PDO connection. The will be a instance of PDO object. After that the settings are ready to go.

    Usage

    Require the class

    Source Code

    1. require_once 'path/to/NewHash.php';


    Set settings

    Source Code

    1. Hash::set(['oldHash' => MD5, 'newHash' => SHA256, 'connection' => $PDOConnection]);


    Check password

    Source Code

    1. Hash::check('user_input', 'password');


    Explanation

    Settings/options

    • oldHash: the old hash that your script currently is using. This could be MD5, SHA1, SHA256, SHA384, SHA512, SHA256. Default: MD5.
    • newHash: the new hash you want to use. This could be MD5, SHA1, SHA256, SHA384, SHA512, RIPEMD128. Default: SHA256
    • connection (REQUIRED): A PDO instance of the database connection. Default: creates a custom connection.
    • userTable: The user table in the database. Default: 'users'.

    Check passwords
    • $userInput ('user_input'): The user input info, this can be an: id, email or username.
    • $password ('password): The user password which has been filled in on the login form.
    • return: Returns user credentials on success and false on failure/user not found.

    What does the code do?


    When u use 'Hash::check()' the class will get the user information from the database. Then it will check if it usages the old hash or the new hash and if the password has already been salted. If it is an old hash with salt, old hash without salt or a new password without salt it will rehash and resalt the password and save the hashed password and slat to the database. On success it will return a User object from the database. On failure it will return false.

    Database

    The user table requires the following five columns.

    id, INT (AI)
    username, VARCHAR()
    password, VARCHAR(128)
    salt, VARCHAR(15)
    email, VARCHAR()

    Upcoming

    On the next updates i will create at least two more functions:
    1. Specify database connection settings. With this you don't need to set a PDO connection, you can just specify the database credentials en the code will create a new PDO object for you.
    2. Just hash a password. This function just will hash a password, so you don't need to check it. This can be used on user registration.
    The Source

    You can find this source on Github: dees040/NewHash · GitHub.

    I hope you guys find this class useful. You can always ask me questions about this code or you can create an issue on Github.
    Met vriendelijke groet,

    Dees

    1,607 times read

Comments 1

  • FangorN -

    To be fair, functionality to create and validate hashes is a good idea as it makes life easier (although PHP offers this functionality out-of-the-box these days through the functions password_hash() and password_verify() since PHP 5.5.0), but to introduce a dependency like a database connection and even prescribing what the user table should (partially) look like is decidedly odd.

    Classes should have a singular purpose and should preferrably be loosely coupled. For example, I would expect some User class (object) to perform authentication by calling some method (authenticate()) which in turn uses a database object and this (helper) class to determine whether some user entered the right authentication information.

    Looking at github the code seems a bit long winded for its intended purpose. If it were to be refactored to a small set of methods that only build and check hashes it could be a nice helper class.