Best and simplest was to secure login form

Question

Is it accepted to build a login form where storing password in PHP file?

For example:

Is something like below secure for passwords? assuming that the webserver won't fail and expose the code to browser.

<?php
    if ($_POST["password"] == "mypassword") {
    //some code
?>

I wanted to know if this particular example is secure, considering the assumption

no this is not secure, pls look into password hashing and salt — DZDomi, May 05 '18 at 11:27
Check the news. Passwords leaks happen regularly in almost every major IT company. — Álvaro González, May 05 '18 at 11:35

score 2 · Accepted Answer · edited May 05 '18 at 14:55

2

You should use secure way like below helpful links:

https://secure.php.net/manual/en/function.password-hash.php

https://secure.php.net/manual/en/function.password-verify.php

Here is the example:

// See the password_hash() example to see where this came from.
$hash = '$2y$07$BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq';

if (password_verify($_POST['password'], $hash)) {
     echo 'Password is valid!';
} else {
    echo 'Invalid password.';
}

Hope this helps

edited May 05 '18 at 14:55

Robert

5,703
2
31
32

answered May 05 '18 at 11:29

Therichpost

1,759
2
14
19

Yeah but is the way that i did secure? – May 05 '18 at 11:29
1

An actual code example would be more useful than just a couple of links. – Nigel Ren May 05 '18 at 11:31
// See the password_hash() example to see where this came from. $hash = '$2y$07$BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq'; if (password_verify('rasmuslerdorf', $hash)) { echo 'Password is valid!'; } else { echo 'Invalid password.'; } – Therichpost May 05 '18 at 11:31
@NigelRen true. Im new to PHP and i don't know what is all the hashing and salting about – May 05 '18 at 11:33
1

There's a complete FAQ how to work with passwords - http://php.net/manual/en/faq.passwords.php – u_mulder May 05 '18 at 11:38
@DatProgrammer please mark tick on my if this helps you – Therichpost May 05 '18 at 11:39
I did. Thanks for the help i really appreciate your work here. – May 05 '18 at 11:44
Welcome @DatProgrammer :) – Therichpost May 05 '18 at 11:44

score 1 · Answer 2 · answered May 05 '18 at 11:29

This approach is discouraged because of many reasons. Most important one being security. You never write password in plain text in the source code because source code is to be checked into the source control, and any one can inspect the file and find the password.

You can create environment variables to store passwords and retrieve it in your PHP code using getenv() method. This will be a secure way to do it, because you are not exposing your sensitive information to the world.

score 0 · Answer 3 · answered May 05 '18 at 11:44

No this is not secure. you should use hashing algorithm to make more secure.you can also use hashing with salting.if database is compromised even then also hacker can't see passwords.because when you hash password it can't be decrypt.in simple you cannot change from gibberish to plain text.many users use just one password for every account to resolve this problem you can use hashing and salting

Best and simplest was to secure login form

3 Answers3