It is not secure to store the password of the registered user directly as it is in the sql database, for instance say mr.x has stolen the database file storing the password, then he has full control on our authentication system. This type of security breach is always an online attack. Some old school programmer will tell to use encrypting as a solution. But, in that case also problem will exist because encrypting is a reversible process, thus our mr.x can easily decrypt the value store in our database. So the better solution for this is to store hash of password in our database, as depicted in the figure below.
Various algorithm are available like Message-Direct 5(md5), SHA-3 can be use to create hash value for our password. But, such algorithm has there drawback too, so they are not trustworthy with both the eyes close.Using a independent salt, to generate hash value of the password is possibly the best way to do that. The hash value generated using salt is not reversible. So, nobody can ever get the actual value of the password even if he knows the hash value of the password, so mr.x even after stoling the database can only chew his nail.
There are times when our registered user will forget there password, and for the same you must have a password recovery system. Using the salt procedure, we know that disclosing of the actual password is not possible. In this case, what you will do is to throw a security question to the user and if he answered it clearly you will refer him to the page where he can change his password.
Below, i have written the way for generating the hash code, i think the code is very simple and not need any explanation. However, I have used comment wherever necessay..
if ($_SERVER["REQUEST_METHOD"] == "POST")
$pass_ok="imarchit"; // correct password.
$pass=md5($salt.md5($pass.$salt)); //generating hash value.
echo "Crypted Data of $pass1 : ".$pass."
echo "You have entered correct data";
echo "Please, Enter the correct data";
<body> <form method="POST" action="index.php">
<input type="text" name="pass"> <input type="submit">
<p>Correct Data is : imarchit(4978b1e5e1423ea6ed2380ffbede7250)</p>
During registration process, user's entered password field is first transformed to it's hash value and is then finally stored. And during login process, we again will generate the hash value of the password entered by the user and will compare it to the hash value stored in our database. If two of them are equal then the sessions starts. You can also use different salt each time during the time of user registration. In this case, you have to store the value of the salt in the database column too. This give one more layer of protection, as much as security is concerned.
Brute force attack
enumerates through all possibilites, that is very large number of combination is tried by the attacker in order to gain access over the session protected area. Therefore, It is not a good choice to use username as a salt, the better way is to generate a random value, then transformed that value into hash and finally store it into the database. Laterly, during the login process we've to add one more step, that is retrival of the salt for the username specifed by the user.