Protect your password

In the development of web services “password management methods” are important.

Depending on the specifications, passwords may be saved as they are, or they may be hidden so that they are not visible on the surface.

However, the ideal way it should be is to “store passwords in complex encryption”.

From a security standpoint, if the values stored in the database are not visible, passwords leaked due to unauthorized access can be “protected” as well.

The following is a rough flow of the process.

1. use foreground text while filling in forms
2. enforce SSL (https) for web communication
3. hashing when saving database

This way, the user is protected while entering the password, during the subsequent communication after the submit button is pressed, and when saving the database.

The following logic can be used when saving the database.

$hashedPassword = password_hash($userPassword, PASSWORD_DEFAULT);

If the second argument of the function is set to “PASSWORD_DEFAULT”, the algorithm is automatically determined according to the PHP version.

From the user’s perspective, it would be nice to have a specification that “only the user who set the password can know the password”. If a user enters a password that he or she normally uses and it is stored in the database as it is, the user may wonder, “Is this really safe?” If the password is stored in the database as it is, the user will be worried.

The extent to which safeguards are put in place depends on the budget and deadlines.

Let’s proceed with the best specifications as time permits.