Add password_hash() formatter

Could we add password_hash() and password_verify() for more secure password hashing in PHP environments?

https://www.php.net/manual/en/function.password-hash.php

https://www.php.net/manual/en/function.password-verify.php

for most secure password hasing you can use the already available SHA512. Does it have limitations you want to address?

Unless you use a different random salt, SHA512 by itself is not really a good idea. Ideally you use a slow hash (e.g. SCRYPT or BCRYPT) for passwords, not a fast hash (e.g. SHA512).

Currently, setting all of this up to use SHA with a salt in Wappler requires modifying the data formatter files to add a function to create a random salt, setting up your database to hold two separate fields (salt and hashed password), and adding all of the actions to insert and query for signup and login processes.

PHP’s password_hash() would simplify this process. You only need one formatter to hash and only one field in the database because the function generates the random salt and stores it in the hash. We would also need the password_verify() for validation.

In addition, it is more secure because it uses bcrypt or another slow hash. See more here: https://rietta.com/blog/bcrypt-not-sha-for-passwords/

Password hash and verify have been added to Wappler 2.6.4

1 Like