What is the safest way to store a password using Code Igniter?

codeigniter password-protection salt bcrypt password-hash
Aniket picture Aniket · Aug 12, 2011 · Viewed 21.1k times · Source

I am using Code Igniter for my current project.

As of now, I am using MD5 for password hashing, but I have read at a lot of places, that it is not a good practice to do so.

What should I go with?

  1. Using a salt
  2. Or should I use bcrypt

Also, if bcrypt is recommended, then how to use it with Code Igniter?

EDIT

I have put these files in application/libraries

  1. PasswordHash.php
  2. c/Makefile
  3. c/crypt_private.c

In my controller, I am using this code -

$params = array(
       'phpass_hash_strength' => 8,
           'phpass_hash_portable' => FALSE
       );
$this->load->library('PasswordHash', $params);
$password = $this->passwordhash->HashPassword($pwd);

I am getting these errors -

A PHP Error was encountered

Severity: Notice

Message: Uninitialized string offset: 3

Filename: libraries/PasswordHash.php

Line Number: 116

A PHP Error was encountered

Severity: Warning

Message: strpos() [function.strpos]: Empty delimiter

Filename: libraries/PasswordHash.php

Line Number: 116

Update

Removed PasswordHash.php, using SimpleLoginSecure now.

Answer

Endophage picture Endophage · Aug 12, 2011

Use bcrypt. This discussion came up here in the comments to my answer. You can use a library such as phppass to really simplify the password encryption.

On the matter of salt. Use it! Otherwise somebody can simply go to this site and download the rainbow tables that will cover the large majority of passwords the average users chooses. Especially with all the security leaks in the last few months, now is not the time to be saying you won't use something as simple to implement as random salt.

UPDATE

To use PHPPass with CI, download and extract the files from the phppass website, linked above. Put the PasswordHash.php file into your CI application/libraries directory.

In your code, you then load the library via: $this->load->library('PasswordHash',array(8, FALSE));

Hashing passwords is then as simple as $this->PasswordHash->HashPassword($password);

To later check if a password is correct, it is as simple as:

$password = $_POST['password'];
$actualPassword = /*Get the hashed password from your db*/;

$check = $this->PasswordHash->CheckPassword($password, $actualPassword);

I've taken this demo from http://dev.myunv.com/articles/secure-passwords-with-phpass/ which gives you a lot more informations. I've modified that tutorial slightly to utilize CI's loader which is why you don't need the include or new statements.

Related questions

Fatal Error: Allowed Memory Size of 134217728 Bytes Exhausted (CodeIgniter + XML-RPC)

I have a bunch of client point of sale (POS) systems that periodically send new sales data to one centralized database, which stores the data into one big database for report generation. The client POS is based on PHPPOS, and …

Read More
how to get last insert id after insert query in codeigniter active record

I have an insert query (active record style) used to insert the form fields into a MySQL table. I want to get the last auto-incremented id for the insert operation as the return value of my query but I have …

Read More
CodeIgniter removing index.php from url

My current urls look like this [mysite]index.php/[rest of the slug]. I want to strip index.php from these urls. mod_rewrite is enabled on my apache2 server. In config, $config['index_page'] = ''; My codeignitor root .htaccess …

Read More