Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Lorna Mitchell:
Upgrade To Better Passwords in PHP
Jan 11, 2016 @ 09:44:55

In a new post to her site Lorna Mitchell encourages you to upgrade to better passwords by using either the built-in password hashing (since PHP 5.5) or by using the userland implementation (that works for >=PHP 5.3.7).

The password features in PHP aren't exactly new, but I see lots of applications from "before" which aren't being migrated to better practices. I have some strategies for doing these migrations so I thought I'd share my main approach, plus a similar-but-different one I saw in the wild (OK it was in CakePHP, so not too wild!).

She offers a few steps to follow to upgrade your application to use the bcrypt solution instead of your current format:

  • Update Login Code (change SQL to just fetch the password, not evaluate it)
  • Hash existing passwords
  • Update registration code (for new passwords to use the new method)
  • Migrate users with old passwords hashes once they've verified their current login

She also mentions alternatives to these approaches including forcing the user to change their password on login.

tagged: password hash bcrypt userland passwordcompat upgrade rehash tutorial

Link: http://www.lornajane.net/posts/2016/upgrade-better-passwords-php