Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.
Start your free trial
Tiffany McAllister
25,806 PointsHashing Passwords
Hi everyone,
I have developed a very simple admin area using PHP and MySQL. I only have one user, the admin, so I don't have a registration system, I just entered the username and password directly to the database in plain text (as this is for learning purposes only).
Now I want to learn how to hash passwords to make them secure. Can I hash this existing password in the database or do I have to delete the existing user and password and create a registration system to register and hash the password that way?
Sorry if this is a silly question :)
3 Answers
Ben Brown
Courses Plus Student 662 PointsHi there - not a silly question.
Essentially the process is...
Encrypt (hash) password at registration point and insert encrypted password into database along with other user details. This can be easiliy achieved by using the MD5() function in PHP - Hashing a password of 'cake' might return something that looks like this 7315a012ecad1059a3634f8be1347846
When user is logging in, encrypt the password they entered (again) using MD5() and check it matches the encrypted version stored in the database (like from step 1) if both match then all good. This way you never have a plain text password in your database, ever, just an encrypted string.
Note: MD5 serves a purpose but is not the most secure method (although better than doing nothing at all). It all depends on the application you are creating, use common sense. i.e. it's no way good enough for something like a banking application which would require much higher levels of security such as more advanced algorithms and salting.
I advise you read this for more info - http://www.sitepoint.com/password-hashing-in-php/
Hope this helps?
Pol Martin
8,200 PointsHi Tiffany!
After you decide how you will encrypt and hash user's passwords in your app, both options will do the job:
You can create a simple PHP script that takes your actual admin password in and outputs the hashed value. Then just execute the script alone, get the value as text and manually insert it in the database overwriting the actual one. You could even make the script update the database field automatically, just for practice and fun.
If it's only a two field table (username and password), you can just delete the existing one and insert it again with the new hashed password.
As you see is up to you.
In both cases, you should take in consideration that the user here is the admin and not a regular user so it should not register using the registration form. Instead you could register it manually in the database for now.
Apart from this, all other users passwords can be hashed as Ben has explained above.
Tiffany McAllister
25,806 PointsThank you so much Ben and Pol!
The information you both provided was very helpful! I have now managed to get it working perfectly and most importantly no more plain text passwords stored in the database! Haha.
Thanks again! :)
Ben Brown
Courses Plus Student 662 PointsNo problem Tiffany