I use bcrypt for password hashing everywhere in my php apps. However, there is still a choice between using bcrypt in the database or using bcrypt in php code. While I believe that using bcrypt is better than most other hashing options, is it more secure to use bcrypt via a function in the database, or via a function in php?
Hash passwords with bcrypt in the database or in php code?
1.1k views Asked by Kzqai At
2
There are 2 answers
3
Dave Chen
On
Personally I think this could go either way:
If you say that the raw password can be sniffed from on its way to the database, the same also goes for hashes. The only security added is Security through obscurity. They don't know what hashing algorithm you are using, and when they find out, hashes can be cracked with time.
The issue is that people can sniff data from PHP to the database, not that the raw password is being sent. If you use SSL with your database, you should have no issues. (Not unless your database logs what queries has been sent, if your database does log queries, then you should hash with PHP)
An upside with database hashing would be that it's faster.
Related Questions in PHP
- How to add the dynamic new rows from my registration form in my database?
- Issue in payment form gateway
- How to create a facet for WP gridbuilder that displays both parent and child custom fields?
- Function in anonymous Laravel Blade component
- How to change woocomerce or full wordpress currency with value from USD to AUD
- General questions about creating a custom theme Moodle CMS
- How to add logging to an abstract class in php
- error 500 on IIS FastCGI but no clue despite multiple error loggings activated
- Composer installation fails and reverts ./composer.json and ./composer.lock to original content
- How to isolate PHP apps from each other on a local machine(Windows or Linux)?
- Laravel: Using belongsToMany relationship with MongoDB
- window.location.href redirects but is causing problems on the webpage
- Key provided is shorter than 256 bits, only 64 bits provided
- Laravel's whereBetween method not working with two timestamps
- Implementing UUID as primary key in Laravel intermediate table
Related Questions in HASH
- How can py tuple implicit cast to int?
- How to properly set hashes in script-src CSP policy header?
- Algorithm for finding the largest common substring for n strings using Rabin-Karp function
- Lua: is there a need to use hash of string as a key in lua tables
- When the key values are the same, the memory limit is exceeded when making a hash join
- Short for creating an array of hashes in powershell malfunction?
- LC347: Top K Frequent Elements; final result returns an extra element in list/array
- Hashing vertices of a Graph in C
- Is there a limit on the message size for SHA3?
- When hashing an API key, should I hash the suffix / prefix as well?
- Cmake error : Configuring incomplete, errors occurred
- murmur3 hashing function in postgres
- Hashing the password if it is not hashed in django
- Order of a set in Python
- Comparing the hash of a file, containing a list of hashes of multiple files instead of each file, is it good?
Related Questions in BCRYPT
- How to safely migrate hashed(bcrypt) passwords during a PHP Laravel system upgrade; from Laravel 8 to 10?
- RSA between C# and C's BCrypt
- Converting C# RSA private key into a form BCrypt can understand
- Error crypto with bcryptjs in react and vite app
- Why can't bcrypt find 'checkpw'
- Using bycrpt.compare in node.js app but it isn't being called or working at all
- Bcryptjs compare not working when I pull from user.password
- Is it possible to migrate from bcrypt to crypto?
- Bcryptjs x Bun.hash
- Bcrypt.hashSync returns false when checking updated password
- [auth][details] { "provider: credentials"} [auth] [cause] {TypeError: "ikm'} also data is undefined in login form
- Is there any way to not show the password in the payload of the request?
- Bcrypt gives an Unexpected Token error with Next.js 14 (Client component) and Next-Auth
- Aws Airflow 2.7.2 installing paramiko 3.3.1 error
- Bcrypt Password Truncation issue solution or Hashing Long Passwords with Bcrypt in Java?
Related Questions in PASSWORD-HASH
- How to unhash passwords using john the ripper
- PhpMyAdmin password_hash not matched from password_verify
- Java's Password4J Not Returning Same Results For Same Inputs
- Storing Database Password
- password_verify not working with php it seems to be the function
- How to move users table from AspNetUsers in ASP.NET application in Keycloak server?
- How should I hash passwords on .NET?
- Trouble logging in with hashed password PHP
- Moving password hashes from one algo to another
- Login and Validation logical error in flask
- Have I Hashed and Salted Correctly?
- ErrorC1083Cannot open include file: 'CryptHash/CryptHash.h': No such file or directory
- How can I modify or delete the PasswordHash class in XenForo to change the hashing algorithm?
- What algorithm does VerifyHashedPassword() use?
- Generate password Hash with SHA1+salt and MD4
Related Questions in PHP-PASSWORD-HASH
- Argon2i password hash algorithm is not working in php?
- Hashed Password from Registration Does Not Work in Login
- Moving password hashes from one algo to another
- Displaying non hashed password from database
- Object of class Symfony\Component\PasswordHasher\Hasher\UserPasswordHasher could not be converted to string
- PHP Password Hash Verifies on Hash Creation but Fails Verification with MySQL Query
- PHP - password_hash() Doesn't return anything after using ROT13
- Hashing and verifying user in login form PHP
- password_verify() how does it work with same password?
- Problems in password_verify() and password_hash(BCRYPT)
- Query builder update() codeigniter 4 not updateing my password
- Password Hashing and Password Verifying
- Password_verify fails for password created on another server
- PHP Warning: Use of undefined constant PASSWORD_ARGON2ID when using password_hash() in php 7.3
- php password_hash() non used characters
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
I would go for the second option and calculate the BCrypt hash in the PHP code.
If you place the password inside the SQL statement, there are additional possibilities it can leak. First the connection to the database must be made secure and then it could end up in log files.
If you place the hash in the SQL statement, you only have to care about a secure transfer to your application, the rest will be safe because only the hash can leak. As a bonus you do not have to care about SQL-injection and encoding/escaping issues. Another advantage is, that you are independend of the database system, you can also support databases without a BCrypt implementation (most databases do not offer a BCrypt function, or only by installing an extension).