Welcome to the Treehouse Community

The Treehouse Community is a meeting place for developers, designers, and programmers of all backgrounds and skill levels to get support. Collaborate here on code errors or bugs that you need feedback on, or asking for an extra set of eyes on your latest project. Join thousands of Treehouse students and alumni in the community today. (Note: Only Treehouse students can comment or ask questions, but non-students are welcome to browse our conversations.)

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and a supportive community. Start your free trial today.

PHP

Tiffany McAllister
Tiffany McAllister
25,806 Points

Hashing Passwords

Hi everyone,

I have developed a very simple admin area using PHP and MySQL. I only have one user, the admin, so I don't have a registration system, I just entered the username and password directly to the database in plain text (as this is for learning purposes only).

Now I want to learn how to hash passwords to make them secure. Can I hash this existing password in the database or do I have to delete the existing user and password and create a registration system to register and hash the password that way?

Sorry if this is a silly question :)

3 Answers

Hi there - not a silly question.

Essentially the process is...

  1. Encrypt (hash) password at registration point and insert encrypted password into database along with other user details. This can be easiliy achieved by using the MD5() function in PHP - Hashing a password of 'cake' might return something that looks like this 7315a012ecad1059a3634f8be1347846

  2. When user is logging in, encrypt the password they entered (again) using MD5() and check it matches the encrypted version stored in the database (like from step 1) if both match then all good. This way you never have a plain text password in your database, ever, just an encrypted string.

Note: MD5 serves a purpose but is not the most secure method (although better than doing nothing at all). It all depends on the application you are creating, use common sense. i.e. it's no way good enough for something like a banking application which would require much higher levels of security such as more advanced algorithms and salting.

I advise you read this for more info - http://www.sitepoint.com/password-hashing-in-php/

Hope this helps?

Pol Martin
Pol Martin
8,200 Points

Hi Tiffany!

After you decide how you will encrypt and hash user's passwords in your app, both options will do the job:

  • You can create a simple PHP script that takes your actual admin password in and outputs the hashed value. Then just execute the script alone, get the value as text and manually insert it in the database overwriting the actual one. You could even make the script update the database field automatically, just for practice and fun.

  • If it's only a two field table (username and password), you can just delete the existing one and insert it again with the new hashed password.

As you see is up to you.

In both cases, you should take in consideration that the user here is the admin and not a regular user so it should not register using the registration form. Instead you could register it manually in the database for now.

Apart from this, all other users passwords can be hashed as Ben has explained above.

Tiffany McAllister
Tiffany McAllister
25,806 Points

Thank you so much Ben and Pol!

The information you both provided was very helpful! I have now managed to get it working perfectly and most importantly no more plain text passwords stored in the database! Haha.

Thanks again! :)

No problem Tiffany