Hashed (?) password storage

Report · Jan 02, 2011

Not sure if hashed is the right word to describe this question. Nonetheless, if not, please replace the word hash with whatever word you think is appropriate.

So, still that registration form where a users needs to input some data, a.o. a password. Now I don't want the password to be stored in plain text, how can you hash a password to appear as a long string of characters in your mysql db table (using php)?

As a result of that, how do you handle the 'password retrieval' function for that matter?

Have googled the question but everything I came accross doesn't seem to do the trick.

Report · Jan 03, 2011

pearl_jan wrote:
I don't want the password to be stored in plain text, how can you hash a password to appear as a long string of characters in your mysql db table (using php)?
As a result of that, how do you handle the 'password retrieval' function for that matter?

The most common ways of doing this are to use md5() or sha1(). Simply pass the password as the argument to either function, and store the result in the database. Note that md5() always creates a 32-character string, and sha1() produces 40 characters, so your password column must be the same width.

Encrypting passwords with one of these hash functions is a one-way process. You can't decrypt the value once it has been encrypted. When you log in a user, you pass the submitted value to the same function, and compare the result with the value stored in the database.

Because it's a one-way process, you can't retrieve a "lost password". A new password needs to be created.

[Edited by David Powers on 12 July 2016] The above information was correct at the time it was originally posted in 2011. For PHP 5.5 and later, you should always use the password_hash() function to hash passwords before storing them in the database. Use password_verify() to check a password that has been encrypted this way.

Hashed (?) password storage

1 Correct answer