Password protection and storage. How right?

J

JackShcherbakov2018-09-18 22:26:59

Passwords

JackShcherbakov, 2018-09-18 22:26:59

Hello!
Essence:
There is a database with passwords. All passwords are stored in hashed form. Hashing is done using the password_hash PHP function. If the user enters "PasswordSecret1123123", then the following will be written to the database:

$2y$10$Vo1rzCRf8gQSu3FZDvxeEu4EkhEIvyAF1BGWPbgim5OhRdTjqEqJm

Question 1:
How reliable is this hash? Is it possible to get the original password knowing the hash? Is this possible in principle?
Brute force password guessing:
No matter how the password is stored, it is still possible to guess it. Therefore, you need to make protection against brute forcing. I want to make it so that after 3 wrong attempts, the password can be entered after 5 minutes. If even then the password was entered incorrectly, the pause will be doubled, and so on. I think it's pretty reliable protection. But how to implement it?
Password Encryption:
I thought to start learning cryptography to improve the security and store not a hash of the password, but a hash of the password cipher . Of course, you still need to come up with this encryption method, but that's another question.
What password protection methods do you still know?
Thanks in advance to everyone who helps!

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

D

Dmitry Alekseev, 2018-09-18
@JackShcherbakov

In fact, for a long time everyone has come up with for us =) You write the password to the database as a hash + salt and the password will be more difficult to pick up. Next, enter a captcha for entering a password and let's say a timer to make it difficult to sort through. You can also block the user after 5 unsuccessful entries and require confirmation of unblocking by email