How to best store user information and user login and password

by

Don’t store passwords. If it’s ever sitting on a disk, it can be stolen. Instead, store password hashes. Use the right hashing algorithm, like bcrypt (which includes a salt).

EDIT: The OP has responded that he understands the above issue.

There’s no need to store the password in a physically different table from the login. If one database table is compromised, it’s not a large leap to access another table in that same database.

If you’re sufficiently concerned about security and security-in-depth, you might consider storing the user credentials in a completely separate data store from your domain data. One approach, commonly done, is to store credentials in an LDAP directory server. This might also help with any single-sign-on work you do later.

More Related Contents:

  1. a better approach than storing mysql password in plain text in config file?
  2. How can I prevent SQL injection in PHP?
  3. SQL injection that gets around mysql_real_escape_string()
  4. Secure hash and salt for PHP passwords
  5. Is “mysqli_real_escape_string” enough to avoid SQL injection or other SQL attacks?
  6. How can I store my users’ passwords safely?
  7. Reference: What is a perfect code sample using the MySQL extension? [closed]
  8. How to create a secure mysql prepared statement in php?
  9. Two-way encryption: I need to store passwords that can be retrieved
  10. How do I use password hashing with PDO to make my code more secure? [closed]
  11. Using PHP 5.5’s password_hash and password_verify function
  12. Generating a random password in php
  13. What does it mean to escape a string?
  14. SQL injections in ADOdb and general website security
  15. How to retract a salted password from the Database and auth user?
  16. PHP MySQLI Prevent SQL Injection [duplicate]
  17. Why is using a mysql prepared statement more secure than using the common escape functions?
  18. how safe are PDO prepared statements
  19. encrypt and decrypt md5
  20. Why is password_verify returning false?
  21. “slash before every quote” problem [duplicate]
  22. How to create a laravel hashed password
  23. Hiding true database object ID in url’s
  24. Many hash iterations: append salt every time?
  25. Is it ever ok to store password in plain text in a php variable or php constant?
  26. How to log in to phpMyAdmin with WAMP, what is the username and password?
  27. Best way to connect to MySQL with PHP securely [duplicate]
  28. Strange problem with the length of the field gotten from database [duplicate]
  29. Unique key generation
  30. Improve password hashing with a random salt

Leave a Comment