In PHP, I’ve always seen that using dedicated password functions such as “password_verify” is the best method. However, I’m currently working on a website where the original developer basically wrote a query that returns the userId by searching for the username and password hash. If there are results, then the user is logged in.

Can someone help explain to me why the latter is a bad idea? I understand about cryptographic functions being slow to prevent timing attacks. In the flip side, it almost seems to me that querying by username and password hash would be more secure as the query time would end the same as if the user wasn’t valid.

CodePudding user response：

You cannot query by username and hash for eg. Select * from users where user_id=xx AND password=password_hash

This cannot be done because the user will only pass the plain password not the hash because hash will be created in the system and no user will memorize that hash or even see that hash.

Now your next question why you should use password_verify function , that is because it it more secure since it will only match if password provide by user is matching with the encrypted password stored in database and due to know its almost impossible to crack the encryption

Encryping password will also prevent leakage of raw passwords in case your system is hacked by some way.

CodePudding user response：

The reason why one cannot search for a password hash in the database is, that a random salt should be generated for each password and is used for hashing. Without first extracting the salt from the password-hash, one doesn't know the used salt and therefore cannot create a comparable hash (which could be searched for).

If a website can search for passwords hashes, it is an utterly unsecure system, because no salt (and an unappropriate algorithm) was used. If you are interested in a more indepth explanation, you can have a look at my tutorial about secure password storage.