Access Denied!
With the ever-growing pace of tech, many would argue whether its impact would be a key factor to shape our evolution. Well, an interesting argument it may be, but not the subject of this article though. One thing clear, is that the way we live, relate with others and transact business has been forever disrupted. Sitting in our pocket always is a powerful machine, the mobile phone. We are interlinked with many people. Just with few clicks of a button you can make purchases in China or America or anywhere in the world from Africa (Nigeria). Probably also, your gmail contains a lot of sensitive information. But what is behind this blind trust we put on these means, one may say security.
Password is one major way (of course, there is encryption and all what not) to maintain the security of a system. Such that private things are not shown to the public. This is almost like the first layer of security. It is the key to users' data, anyone without it shall be replied with the words; access denied!
Bad example:
When Adult Friend Finder was hacked in October 2016, 412.2 million accounts details were stolen including passwords. It was reported that most of the passwords were protected only with the weak SHA-1 hashing algorithm.
Things to keep in mind when you work with passwords.
1. Never know users passwords: the less you know the better for you. It could happen that one's database is hacked but you don't want people's passwords or sensitive information exposed in plain text. So it is obvious that the less you know the better for the user. Except you feel this is absolutely necessary. In which case it is assumed that you're aware of the risk.
2. Restriction should be minimal: do not put too many constraints as to what user passwords should look like. This helps to prevent weak passwords. You can even include a dictionary of common passwords to check against. Blacklist the common passwords. Or you simply use this package to prevent dumb passwords: unicodeveloper/laravel-password.
- Do not send passwords through email: if a user needs to reset the password, it is better that a one-time access link is sent to the email rather the password. Usually, a unique token is generated and sent as the query string parameter of the link. If the user follows the link, the application validates the token. Once the user chooses a password the token is invalidated. Therefore, it one-time access token.
4. Hash user passwords with bcrypt: this hashing algorithm has proven very dependable and robust. It is better you don't use MD5 AND SHA-1. Though many say they are faster, but with the so called rainbow table, these algorithms has been comprised. See the documentation for how to use the password_harsh() function.
5. Password hashing API: of course I'm huge fan of components in PHP. If it's very good and widely used, why not ride the wave and save your time. Use the ircmaxwell/password-compat component designed Anthony Ferrara. With 23.5 million, give or take, downloads. It can't be that bad after all, just in case you're not very sure if it is trusted. You can look up here how it is used.