0

I am creating a simplified lead and call management system for a friend's small business.

I would like to know the best practices for hardening password storage and verification using PHP 7.4 and MySQL 7.4.30.

I would like something very secure as some of the data I am storing is subject to HIPPA rules for data storage.

The password hash function creates hashes based on the old bcrypt standards which can be easily broken when one has adequate CPU/GPU resources.

Therefore, I need more robust solutions.

schroeder
  • 123,438
  • 55
  • 284
  • 319
huyang888
  • 1
  • 1
  • 1
    In general, passwords used for authenticating users should not be stored in plaintext in your database. Instead, they should be salted and hashed, then stored. See https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords for some good reading on this subject. PHP has built-in functions for this - see https://www.php.net/manual/en/function.password-hash.php and https://www.php.net/manual/en/function.password-verify.php. – mti2935 Jul 02 '22 at 02:05
  • 1
    Or possibly [this question](https://security.stackexchange.com/questions/206281/are-there-best-practice-standards-for-username-password) is a better fit. There's a ton of questions on password hashing here; a search should give you plenty. – vidarlo Jul 02 '22 at 02:07
  • See https://www.php.net/manual/en/function.password-hash.php and https://www.php.net/manual/en/password.constants.php. Argon2 is supported in PHP 7.2 and up. – mti2935 Jul 02 '22 at 03:00

0 Answers0