For security and privacy, the user passwords are never stored in plaintext form in the database.
Rather, they are stored in encrypted form using a modern, secure approach, that employs the bcrypt algorithm (one-way irreversible encryption), with random salts for stronger encryption.
User account and passwords are handled by the membership
module. Authenticated user access is implemented by the siteAuth
module (which manages session ID's and their cookies.)
At account creation time:
- The user (or system) provides a new password
password_hash()
generates a random salt
- The bcrypt algorithm takes the password and the salt, and creates a hash. This process is modulated by a "cost" (difficulty level) parameter passed to the algorithm.
- For convenience, the algorithm code, the algorithm option, the salt and the password hash get concatenated into a single string (which is handy for storage in database); it's all taken care of by the
password_hash()
function.
At login attempt time:
- The user provides an attempted password, as well as account lookup info (such as email address or username)
- From the provided user-account info, the stored hashed-password string (which includes the algorithm, algorithm option, and salt) is retrieved. [Also, a check is done as to whether the account is active]
- From the provided attempted password, and the retrieved salt, using the retrieved algorithm (with the retrieved options), a hash is generated; this is all taken care of by the
password_verify()
function.
- If the hash just generated matches the stored hash, then the login is successful
A helpful tutorial on storing users' passwords.
Guide to Safe Password Hashing.