How to store passwords safely with drupal
Despite the fact that everyone is trying to make the internet more secure, cyber-attacks are thriving on the internet as recent hacks showed this. One of our users asked us how to make its user's password storing more secure, so we came with this article about saving password's with PHP in Drupal.
To begin with, from our experience, the key for a secure, clean and easy to use password storage scheme is a standard library. Don't be so surprised. It's quite easy to use and the chances to make errors are rather reduced, so you may want to take it into consideration.
Install
ircmaxell/password_compat
and use the new simplified password hashing API (available for PHP 5.3.7 or 5.5.0 or newer).
The new password hashing API exposes four simple functions:
- password_hash() – used to hash the password.
- password_verify() – used to verify a password against its hash.
- password_needs_rehash() – used when a password needs to be rehashed.
- password_get_info() – returns the name of the hashing algorithm and various options used while hashing.
Example of code using PHP's password API:
// $pass is what you would store in your database
$pass = password_hash($_POST['password'], PASSWORD_DEFAULT, ['cost' => 12]);
// $pass would be the $pass (above) stored in your database
$check = password_verify($_POST['password'], $pass)
if ($check) {
echo 'password correct';
} else {
echo 'wrong pass';
}
Hope this helped!
