I am seeking some suggestion to secure my password encoding. Here I wanted to mention that I don't want to use new password_hash() api and also dont want to migration of old password, If I used password_hash() api , I have to migrate my old user password, which is not gong to possible for now. SO here is my old approach.
function login() {
//the code of getting password from database.......I am skipping this part.....
if(!Check($given_pass,$expected_pass)))
//User enter a password in the session as given_pass and expected_pass is the md5 generated hash password stored in database.
return error('pass error');
return notice('pass success');
}
function Encode($text) {
return md5(paramtr2Str("conf.cryptographykey").$text);
//cryptography key is a random generated string at the server side.
}
function Check($given_pass, $expected_pass) {
return $expected == Encode($given_pass);
}
I think my Encode function is hackable and I want to give it some extra security by sticking with the original formatting.