THINGS to REMEMBER
A lot has been said about Password encryption for PHP, most of which is very good advice, but before you even start the process of using PHP for password encryption make sure you have the following implemented or ready to be implemented.
No matter how good your encryption is if you don't properly secure the server that runs the PHP and DB all your efforts are worthless.most servers function relatively the same way, they have ports assigned to allow you to access them remotely either through ftp or shell.Make sure that you change the default port of which ever remote connection you have active.by not doing this you in effect have made the attacker do one less step in accessing your system.
For all that is good in the world do not use the username admin, root or something similar.also if you are on a unix based system do not make the root account login accessible, it should always be sudo only.
You tell your users to make good passwords to avoid getting hacked, do the same.what is the point in going through all the effort of locking your front door when you have the backdoor wide open.
Ideally you want your DB and APPLICATION on separate servers.this is not always possible due to cost, but it does allow for some safety as the attacker will have to go through two steps to fully access the system.
Always have your application have its own account to access the DB, and only give it the privileges it will need.
Then have a separate user account for you that is not stored anywhere on the server, not even in the application.
Like always do not make this root or something similar.
Follow the same guidelines as with all good passwords.also don't reuse the same password on any SERVER or DB accounts on the same system.
NEVER ever store a password in your DB, instead store the hash and unique salt, i will explain why later.
ONE way HASHING!!!!!!!, never hash a password in a way that it can be reversed, Hashes should be one way, meaning you don't reverse them and compare them to the password, you instead hash the entered password the same way and compare the two hashes.this means that even if an attacker gets access to the DB he doesn't know what the actually password is, just its resulting hash.which means more security for your users in the worst possible scenario.
There are a lot of good hashing functions out there (
hash, etc...) but you need to select a good algorithm for the hash to be effective.(bcrypt and ones similar to it are decent algorithms. )
When hashing speed is the key, the slower the more resistant to Brute Force attacks.
One of the most common mistakes in hashing is that hashes are not unique to the users.this is mainly because salts are not uniquely generated.
Passwords should always be salted before hashed.Salting adds a random string to the password so similar passwords don't appear the same in the DB.however if the salt is not unique to each user (ie :you use a hard coded salt) than you pretty much have made your salt worthless.because once an attacker figures out one password salt he has the salt for all of them.
When you create a salt make sure it is unique to the password it is salting, then store both the completed hash and salt in your DB.what this will do is make it so that an attacker will have to individually crack each salt and hash before they can gain access.this means a lot more work and time for the attacker.
USERS CREATING PASSWORDS
If the user is creating a password through the frontend that means it has to be sent to the server.this opens up a security issue because that means the unencrypted password is being sent to the server and if a attacker is able to listen and access that all your security in PHP is worthless.always transmit the data SECURELY, this is done through SSL, but be weary even SSL is not flawless (OpenSSL's Heartbleed flaw is an example of this).
Also make the user create a secure password, it is simple and should always be done, the user will be grateful for it in the end.
Finally, no matter the security measures you take nothing is 100% secure, the more advanced the technology to protect becomes the more advanced the attacks become.but following these steps will make your site more secure and far less desirable for attackers to go after.
Here is a PHP class that creates a hash and salt for a password easily