DevPicker

Modern online tools to simplify ordinary users and developers daily life. This website has essential impact for everyone.

Check out my new Resources list, those 4 lists definitely help you with something.

Hash text

Hashing - What is it?

A hash is a string or number generated from a string of text. The resulting string or number is a fixed length, and will vary widely with small variations in input. The best hashing algorithms are designed so that it's impossible to turn a hash back into its original string.


Why should I hash passwords supplied by users of my application?

Password hashing is one of the most basic security considerations that must be made when designing any application that accepts passwords from users. Without hashing, any passwords that are stored in your application's database can be stolen if the database is compromised, and then immediately used to compromise not only your application, but also the accounts of your users on other services, if they do not use unique passwords.

NB! It's recommended to use BCrypt or Argon2i hashes, Argon2i is the latest winner of the Password Hashing Competition in July 2015.

By applying a hashing algorithm to your user's passwords before storing them in your database, you make it implausible for any attacker to determine the original password, while still being able to compare the resulting hash to the original password in the future.

It is important to note, however, that hashing passwords only protects them from being compromised in your data store, but does not necessarily protect them from being intercepted by malicious code injected into your application itself.

Useful tips
  • NEVER don't use plain text passwords.
  • If you prefer your own salts, then always use different ones for every password.
  • Use PHP PASSWORD_DEFAULT algorithm to always be with the latest version of hashing.
  • Try to delay users password entering to fight against brute forcing, ex: Log IPs, and after 10 tries block it for 5min or use google recaptcha, it'll to it automatically.
  • Update your website to SSL (https) to encrypt your data and prevent man in the middle attack.