Passwords and other highly sensitive information should not be stored as plain text in databases but it should be encrypted.If the server gets hacked by an intruder then he will get only the encrypted text.This way is secure because you are not providing password right away but you make him to work on the combinations of passwords that matches with a specific password.
Recently when yahoo was hacked it was shocking to know that the passwords were stored as plain text
Encrypting passwords
via- Flickr
Encryption is a method of converting a plain text to a random string using a key which is a secret text.While decryption is the way of converting back to plain text using the same key.A plain encryption is not secure because it is possible to decrypt the information using repeated brute force hacking.So if you need to secure the passwords stored then the encrypted string should be as difficult to decrypt.
Algorithms like SHA1,MD5 are not advisable for storing passwords because these algorithms are so much sophisticated that encryption is really fast to perform. Same way its fast for the attacker to decrypt the passwords.
So the best way to store passwords in database is by using bcrypt algorithm.It is based on blowfish cipher that uses rainbow tables which simply means encrypting using bcrypt algorithm is slower and takes more time to brute force.Decryption is not possible even though computation power is increased.This makes the bcrypt to be the ideal way to store password.
How to use bcrypt in PHP
$hashed_password = crypt($password);
For example a password “test” will be stored as encrypted text as mentioned below.
bcrypt is supported in PHP 5.3 and latter versions.
Since this is a one way encryption if you are verifying a password against an already stored one on the database then you have to encrypt the entered password and compare with the database.
You can read the manual to try some options.
