Hi folks,
I am learning how to make a PHP/MySQL login system and I am using a function called “password_verify” which keeps returning false.
The user has been added via PHPMyAdmin with the password field being entered using the MD5 dropdown option.
Here is how I am using the function:
$hashedPwdCheck = password_verify($pwd, $row['user_pwd']);
Do I need to create passwords using a PHP script or is it ok for me to manually enter passwords via PHPMyAdmin?
Thanks in advance for any assistance!
MD5 is way outdated and should NEVER be used for passwords. You need to use password_hash, then you can use password_verify.
That is where you are going wrong.
Don’t use MD5, it’s old, it’s insecure, it does not work with password_verify.
You should be usign PHP’s password_hash function to hash passwords.
Thanks for the replies, that answers my question.
So just to confirm, there is no way to set a password within PHPMyAdmin?
Well, you can, a problem being what you have encountered. The hashing must resolve to identical values. Much easier to use one algorithm, PHP makes this easy with the native functions.
Another thing is to reverse engineer the hashed passwords. Assuming you didn’t do anything sophisticated with the hashing, it can easily be reversed engineered. There are MD5 crackers online. Crack the passwords manually one-by-one. Then rehash them using password_hash(). password_verify() will only take hashed passwords from password_hash(). Any passwords hashed using something else, it’ll be wrong. So no using the hash() function either.
I know this isn’t something that you should be doing, so if the only accounts you have are your own, it’s ok. If not, just generate a new password and send them to the owner.
No, never, under any circumstance, send a password to your users. Instead create a random string, and put that in a URL and send that to the user. When they follow that link they should come to a page where they can set their own password.
Yes. However, password security seems to always be a problem. People seem to always get hacked because they choose passwords like password123 or mypassword. If you generate a strong password for the user, they could either use that password or change it if they want. Allowing them to straight up use weak passwords is just asking them to get hacked.
True, but if they set that password it’s their responsibility. If you set a password for them and send it via email, and some unintended recipient (hacker) gets their hands on that email and compromises the account it’s your responsibility.
Also, you can’t cure stupidity.
The better option is to send the user an email that leads them to the password reset form to enter their email which in turn will send a unique key linked to the password reset form. Never send a password by email.
This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.