Hackers are continuously surfing the web in their quest to steel important information from websites. They try everything to access your website by using any security vulnerability they can find. Website security is therefore a big thing nowadays. One of the most risky factors online today are probably passwords. Originally, a password was intended to give a layer of security. However, an ongoing trade of between passwords strength and the ease of remembering the password takes place. Seriously, have you any idea how many online accounts you have at the moment? And how many different passwords – if any – are you using? Do you write the secure passwords down because they are difficult to remember?
In a recent research it was found that the most widely used password online was 123456. The password ‘password’ came second. Do you belief that?
How passwords are encrypted
If you create an account for an online shop you probably enter an email address and a password of your choice. Possibly the website indicates if it is a so called strong password or not. Upon creation of the account the information you entered is sent to the server and stored in the database. Passwords should obviously be encrypted (also when sending the information by using an SSL certificate, but that is a different story) and never stored as is in the database. Technically password encryption is not the correct term, it should be password hashing as passwords are not two way encrypted but hashed: this makes it very difficult or even impossible to find the corresponding password when you have the hash. Unless you have a rainbow table of all well known passwords and their hash for a given encryption method…
There are a number of hashing algorithms out there and probably the most well known and used today is md5. But md5 is actually not so secure after all. For example, the hash of ‘1234’ using md5 encryption can be found online by one simple Google search.
Best practices in password hashing
Currently the best and most secure solution is to use the encryption method called ‘Blowfish’. And luckily for developers, it is not that hard to implement. The online documentation is very clear and integration in your application makes your passwords so much more secure. However, it only works for modern PHP versions, from version 5.3.0.