Is this the right way to store passwords in database and activate user accounts?

Question

I'm building a website with HTML5, CSS, JavaScript, PHP and MySQL DB. I've created a login page and a 'create new user page' and would like to have an email send to active the user account. What I've built now is working but I would like to verify that I'm doing it safe enough.

When creating the user account I use this code:

$Allowed_Chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./';
$Chars_Len = 63;
$Blowfish_Pre = 'xxxxxxxxxxx';   <- not sure if that is something I can share with anyone
$Blowfish_End = 'xxxxxxxxxxx';   <- not sure if that is something I can share with anyone

$Salt_Length = 21;
$mysql_date = date( 'Y-m-d' );
$salt = "";
for($i=0; $i<$Salt_Length; $i++)
{
    $salt .= $Allowed_Chars[mt_rand(0,$Chars_Len)];
}
$bcrypt_salt = $Blowfish_Pre . $salt . $Blowfish_End;
$hashed_password = crypt($password, $bcrypt_salt);
$activationkey = crypt( $hashed_password . $uname);

(I use the hash_pass + uname to create a new hash for $activationKey, without salt.)

In the database I then store: uname, hashed_password, salt, activationkey and I set a flag that shows the account is NOT activated.

Then I send an e-mail to the user with the activationkey included.

When they user clicks the link I search for the e-mail addres and activationkey. If found I clear the activationkey field in the database and set the flag to show the user is activated and then redirect the user to the activation page.

Would love to hear your thoughts on this.

Gabrie

Answer 1

No that's not what you should do, the parameters for crypt() require a certain format, otherwise you will not get a BCrypt value and the salt will not be secure. In PHP 5.5 there is a function called password_hash() which solves exactly your problem, for earlier versions there exists a compatibilty pack from the same author, using this function is "future proof".

Activation keys should better not be derrived from other parameters, just generate a random token and send this token to the user. In the database you store only a hash of this token. This system can be used to generate password reset links too. An example implementation of a such tokens you can find here.