After researching the best practice on keeping user’s password safe, I have come across two important PHP encryption
functions: PHP password_hash and password_verify.
PHP password_hash provides a strong one-way encryption to encrypt
the user’s password. By using this
function, the plain text version of the user’s password will not need to be saved in
the website, only the encrypted password is saved.
It has been determined that the encrypted password generated
by the PHP password_hash is very difficult to break and by using it will
enhance the user’s account security.
PHP password_verify function is used to help authenticate
the user’s login. The website,
in real time, will use this function to validate the encrypted password (stored
in the website database) and the user’s password (transmitted to the website using the encryption protocol, HTTPS). Once the
authentication is performed, the provided password is discarded.
By using both PHP password_hash and password_verify
functions, the user’s password will not be saved in the website which minimizes the risk of password being exposed.
LetoFiles’ authentication system has been fully upgraded to
using these PHP password encryption features. All passwords for
the existing accounts have been encrypted and purged from the website.