Passwords should be hashed and salted, not stored as plain base64

[hizkifw]

Describe the bug

Storing passwords in a reversible format (e.g. base64) is very insecure and against standard security practices. Passwords should be stored as a hash instead. For further details, please refer to this post: https://security.stackexchange.com/a/36838

To Reproduce

Steps to reproduce the behavior:

1. Register on the website
2. Check the database contents
3. Password is stored as plaintext encoded in base64

Expected behavior

Passwords should be hashed.

Screenshots

N/A

Desktop (please complete the following information):

• OS: All
• Browser: All
• Version: All

Smartphone (please complete the following information):

• Device: All
• OS: All
• Browser: All
• Version: All

Additional context

• https://github.com/Piyushhbhutoria/FinTech/blob/master/register.php#L19

[Piyushhbhutoria]

would you like to work on it and create a PR?

[excitedbox]

Hashing passwords is easy. You do sha512($password); and store the result in the DB and when someone logs in you do a sha256 to the password field of the login form before comparing it to the hash stored in the DB. That way the website doesn´t even know the real password only the hash.

Even better would be to split the password first then do sha512($part1.$randomsalt.$part2); The entire fix should take less than 5 minutes.

That is also why a forgotten password always requires you to reset your password. They don´t know what your password is so they can´t give retrieve it.

[Piyushhbhutoria]

@excitedbox why don't you create a PR? :)