Which php and MySQL password hashing

Please house, which of the password hashing function in MySQL columns that matches that of php password_hash()?

I like using password_hash() and password_verify() and store them in the database, but if I want to change password from the database directly and i select MD5 from the column options in MySQL and try to validate it in my php script using password_verify($hashffrommysql, ‘plaintex’);

it doesn’t work please which hashing function should I select from the MySQL column.

Thank you

There’s isn’t any. You must use php’s password_verify().

The security based reason for this is so that the plain-text password will only exist within the php code and only the hashed value will exist outside of the php code, such as being sent to/from a database or an API.

The technical reason for this is because the hashed value contains fields that indicate the hash algorithm, cost, salt, and the actual hashed value, which password_verify uses to hash the input password value to compare with the hash of the original password.

1 Like

Always use these.
If you need to change a password, hash it with password_hash() and UPDATE the table with the resulting string.

MD5 is no longer considered secure, don’t use it for passwords.

1 Like

If you want a definite answer then that’s easy to tell you. PHP’s password_hash() function uses BCrypt by default to hash your passwords. It typically starts with $2y${COST}____. You can specify different algorithms if you want during hash.

Here’s a BCrypt password generator if you wanted to manually update your passwords from the database.

You shouldn’t do this, but it’s possible. The MySQL columns should all be text or varchar(255). Since these are hashed strings, it doesn’t matter which MySQL type you store them in, just as long as they’re the appropriate ones.

Okay thanks @mabismad and @SamA74
Due to my long use of WordPress i have just found it very fast to use MD5 from MySQL column to change password since wp_password_verify() can verify it easily,
Anyways thats how i have always been doing it by hashing using php and then copy the hash results and insert it to the MySQL column

thanks @spaceshiptrooper

there will be no need using external tools or script if I can’t do it using bycrypt functions in MySQL directly in the column then i can just open my php coding tools on my laptop and run

echo password_hash('mynewpasswordtext', PASSWORD_DEFAULT);

and then copy the echoed hashed pass and insert in my database

In that case this is a good read for you.

You can’t. The MySQL ENCRYPT() function uses the operating system’s crypt() function — if your operating system does not support bcrypt hashes, MySQL will not support them either.


thats the above statement from stack, how ever my system supports bycrypt in MySQL.

I will try using the bycrypt functions in MySQL to hash and then try verifying it on php.

but then is like what ever system used to hash keeps some of the data in the log.

Exactly the point. You shouldn’t be trying to hash your passwords directly in the database. Unless you’ve got a solid reason to other than “simplicity” and trying to save a few seconds, I would never recommend trying to update the passwords directly in MySQL. Let the user do that if this site is a live site. If it’s for testing purposes, just keep using the password_hash() functions in PHP. It’s better practice as well.

1 Like

Surely it’s just as easy to have the same code that echos the password to insert / update your database?

To that end a single password is no longer secure. Multi factor authentication is the current security standard.

yes is very easy and safe, i hardly use anything from my MySQL only storing data.
my timestamp is php data() and my password is Also php password_hash() and password_verify() it helps keeps everything in one space.

I have multiple factors too, enabled most mostly email and SMS even when some argue that SMS otp can be spoofed, but thats the one i can use for now alongside email otp for further confirmation.

1 Like

When supported I prefer an authentication app like Authy. That is enabled for many of my important accounts including GitHub and AWS which both support auth apps for MFA.

MFA is a pain in the ass for all users. Next step will be VMFA where the user needs a third auth. method to login….

If I wouldn’t get paid for the time I spend each day for MFA logins I would cancel my workership….

MFA is a „let’s find a way to compensate the user which are too stupid to choose a strong password and don’t use the same password on every porn website as well as for the banking account and the companies Intranet connection“

2 Likes

Probably

I don’t disagree but safety and security should be top concern for everyone. Even if it means sacrificing some usability. Organizations should be doing everything they can to secure user data which includes implementing modern security standards like MFA. Talking about security without responsible action is disingenuous and leaving users open to security breaches. This is not the behavior of a caring person, organization but that of corrupt fraudsters.

So while its great to talk about secure strong passwords that shouldn’t be end of the conversation. Neither should it be represented as strong security alone in the modern age of security innovation. Strong passwords and cryptography is only one piece of the puzzle.

This just reminds me of a site that anytime i wants login i will first sigh, it has a very difficult captcha that i usually fail three or more times before successful getting the captcha, so i ensure i never logout of it anytime i succeed in logging in. that site is dropbox.com their new captcha on login page is a pain in the ass

i agree to this totally, let it cause the pain but do the work regarding security, but where i get angry most times is that most of these two factor authentication methods can be bypassed, though I don’t know about bypassing Authy or google authenticator app.

I have a bank that questioned the reliability of Google authenticator app and so they don’t use it as their TFA, but uses SMS to send otp.

And some others believe that SMS otp are not reliable and can be spoofed, so am as twice confused to which one is even best among them.