Change password value in the database each time log in

Question

Is it a good way to change password value each time a user log in to the database? I have wrote a hash function to hash the password when a user register a new account on the system. Each time the user logs in, the hash value in the database will be changed. Is it good or bad?

Answer 1

If you designed this hash function all by your self then... It is a very very bad idea. Why would you need something like this? If you store salted SHA-256 hashed passwords the security is good enough. You do not need to regenerate passwords, it does not provide any additional security. If lets say your app is prone to SQL-Injection, then this scheme won't protect your app. You would be a lot better if you used salted and keyed SHA-256, something like this: (I'm not a php coder, I just want our apps to be secure)

$username = 'Admin';
$password = 'gf45_gdf#4hg';
$key = 'MySuperSecretKEY!!!!';
$salt = hash('sha256', uniqid(mt_rand(), true) . 'something random' . strtolower($username));
$hash = $salt . $password . $key;
$hash = hash('sha256', $hash);
$hash = $salt . $hash;

and then checking:

$username = 'Admin';
$password = 'gf45_gdf#4hg';

$sql = '
  SELECT
    `hash`
  FROM `users`
    WHERE
      `username` = "' . mysql_real_escape_string($username) . '"
  LIMIT 1
  ;';

$r = mysql_fetch_assoc(mysql_query($sql));

$salt = substr($r['hash'], 0, 64);
$hash = $salt . $password . $key;
$hash = hash('sha256', $hash);
$hash = $salt . $hash;

if ( $hash == $r['hash'] ) {
  //OK
}

So even if attacker will be able to trick the salting algorithm he does not know, a key so he won't be able to reproduce a valid hash in SQL-Injection attack.