I use bcrypt for password hashing everywhere in my php apps. However, there is still a choice between using bcrypt in the database or using bcrypt in php code. While I believe that using bcrypt is better than most other hashing options, is it more secure to use bcrypt via a function in the database, or via a function in php?
Hash passwords with bcrypt in the database or in php code?
1.1k Views Asked by Kzqai At
2
There are 2 best solutions below
3
Dave Chen
On
Personally I think this could go either way:
If you say that the raw password can be sniffed from on its way to the database, the same also goes for hashes. The only security added is Security through obscurity. They don't know what hashing algorithm you are using, and when they find out, hashes can be cracked with time.
The issue is that people can sniff data from PHP to the database, not that the raw password is being sent. If you use SSL with your database, you should have no issues. (Not unless your database logs what queries has been sent, if your database does log queries, then you should hash with PHP)
An upside with database hashing would be that it's faster.
Related Questions in PHP
- php Variable name must change in for loop
- register_shutdown_function is not getting called
- Query returning zero rows despite entries existing
- Retrieving *number* pages by page id
- Automatically closing tags in form input?
- How to resize images with PHP PARSE SDK
- how to send email from localhost using codeigniter?
- Mariadb max Error while sending QUERY packet PID
- Multiusers login redirect different page in php
- Imaginary folder when I use "DirectoryIterator" in PHP?
- CodeIgniter + XDebug: debug only working in the main controller, index() function
- PHP script timeout when I use sleep()
- posting javascript populated form to another php page
- AJAX PHP - Reload div after submit
- PHP : How can I check Array in array?
Related Questions in HASH
- Trouble validating md5 hashed password with randomly generated salt?
- Why k and l for LSH used for approximate nearest neighbours?
- PHP password_hash() / bcrypt
- Unique hash/index for time interval
- Order-independent Hash Algorithm
- git hard reset - what am I doing wrong?
- Java HashMap, hashCode() equals() - how to be consistent with multiple keys?
- Create hash from variables in loop
- Hashing integer coordinates of different sizes
- Xcode salting and hashing a password
- Is there a way to generate a Guid from a list of Guids?
- Path reconstruction with Hashing?
- Creating a Hash with keys from an array and empty arrays as the values
- How to read data from a different file without using YAML or JSON
- change value in hash using an array of keys in ruby
Related Questions in BCRYPT
- PHP password_hash() / bcrypt
- Migrate from existing password_digest column?
- Rails Fixtures with BCrypt
- Is it possible to install bcrypt manually
- Node.js error : %1 is not a valid Win32 application
- How to store and read passwords using Bcrypt
- How to insert bcrypt hashed value into MySQL database?
- Improve performance using Bcrypt in VertX
- Node JS bcrypt compare returns false
- How to create login endpoint using express-session and express-mysql-session
- using bcrypt password hashing for user authentication
- Verify Laravel password in iOS app offline
- Ruby bcrypt non-salt password comparison
- Hash a password in Java using recommended methods with char[]?
- How to retrieve passwords from a database
Related Questions in PASSWORD-HASH
- Trouble validating md5 hashed password with randomly generated salt?
- How are Joomla 3 passwords encrypted?
- Django Rest Framework - serializer code not executing
- How to verify an hashed password
- Client side password hash versus plain text
- Reset password don't work when login php
- php password_hash and password_verify looked all over still doesn't work
- Check drupal 7 password to C#
- Rfc2898DeriveBytes how to verify the password which is store in database as hash value
- Client or Server side password hashing when a user registers (using HTTP)
- php password_verify doesn't work
- Password does not match with hash algorithm (SQL Server)
- ASP.NET: SHA1 + Salt Password Hashing on Multiple Servers
- Salted Password Validation in PHP
- Hash passwords with bcrypt in the database or in php code?
Related Questions in PHP-PASSWORD-HASH
- password_verify hash not matching password
- php password_hash and password_verify looked all over still doesn't work
- PHP 5.5 Password Hashing API correct way to compare 2 password_hash() variables
- password_verify won't work after storing in database
- Is PHP's password_hash() Backwards Compatible?
- PHP password_verify (BCRYPT) doesn't work, what am I doing wrong?
- Password Hashing issue with password_hash & password_verify
- Hash passwords with bcrypt in the database or in php code?
- PHP password_hash() password_verify() maximum password length?
- PHP password_hash Check Two Hashes
- PHP password_hash always contains hashkey
- Call to undefined function password_hash()
- What is the format of password_hash output?
- password_verify() how does it work with same password?
- How to use PHP's password_hash in Android
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
I would go for the second option and calculate the BCrypt hash in the PHP code.
If you place the password inside the SQL statement, there are additional possibilities it can leak. First the connection to the database must be made secure and then it could end up in log files.
If you place the hash in the SQL statement, you only have to care about a secure transfer to your application, the rest will be safe because only the hash can leak. As a bonus you do not have to care about SQL-injection and encoding/escaping issues. Another advantage is, that you are independend of the database system, you can also support databases without a BCrypt implementation (most databases do not offer a BCrypt function, or only by installing an extension).