HighFile-scopePHP Plug & play

Use Secure Password Hashing Functions

Do not use weak or generic hash algorithms (like MD5 or SHA1) for storing passwords. Use built‐in functions like password_hash() (with BCRYPT or Argon2) and password_verify(), which handle salting and secure algorithms automatically.

Add to Mesrai Open workspace

Why this matters

Old hash algorithms are vulnerable to brute‐force attacks and rainbow tables, making it easier to crack passwords. Modern password‐hashing functions include salts and iteration counts, making stored passwords much harder to compromise.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

<?php
$password = $_POST['senha'];
$hash = md5($password);
// store $hash in database
?>

Prefer

<?php
$password = $_POST['senha'];
$hash = password_hash($password, PASSWORD_DEFAULT);
// store $hash in database
?>

More snippets

Bad

<?php
$password = $_POST['senha'];
$hash = md5($password);
// store $hash in database
?>

Good

<?php
$password = $_POST['senha'];
$hash = password_hash($password, PASSWORD_DEFAULT);
// store $hash in database
?>

Related rules

From the same buckets as this rule.

Critical
Encrypt sensitive data at rest with KMS and rotate keys
Use envelope encryption (AES-256-GCM) with cloud KMS-managed CMKs for databases, object storage, and backups. Rotate CMKs at least annually and rotate DEKs per object/file.
compliance-soc2-essentialssecrets-credentials+1
Critical
Pulumi TS: secrets must use Config.requireSecret
In Pulumi TypeScript programs, load sensitive values with new Config().requireSecret and pass as Secret<T>, never plain strings.
infra-as-codesecrets-credentials+1
Critical
Use a secrets manager and 90-day rotation policy
All credentials (API keys, DB passwords, tokens) must be stored in a secrets manager with automatic rotation ≤ 90 days; forbid hardcoded or .env-committed secrets via CI checks.
compliance-soc2-essentialssecrets-credentials+1

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

<?php
$password = $_POST['senha'];
$hash = md5($password);
// store $hash in database
?>

Prefer

<?php
$password = $_POST['senha'];
$hash = password_hash($password, PASSWORD_DEFAULT);
// store $hash in database
?>

More snippets

Bad

<?php
$password = $_POST['senha'];
$hash = md5($password);
// store $hash in database
?>

Good

<?php
$password = $_POST['senha'];
$hash = password_hash($password, PASSWORD_DEFAULT);
// store $hash in database
?>

Related rules

From the same buckets as this rule.

Critical

Encrypt sensitive data at rest with KMS and rotate keys

Use envelope encryption (AES-256-GCM) with cloud KMS-managed CMKs for databases, object storage, and backups. Rotate CMKs at least annually and rotate DEKs per object/file.

compliance-soc2-essentialssecrets-credentials+1

Critical

Pulumi TS: secrets must use Config.requireSecret

In Pulumi TypeScript programs, load sensitive values with new Config().requireSecret and pass as Secret<T>, never plain strings.

infra-as-codesecrets-credentials+1

Critical

Use a secrets manager and 90-day rotation policy

All credentials (API keys, DB passwords, tokens) must be stored in a secrets manager with automatic rotation ≤ 90 days; forbid hardcoded or .env-committed secrets via CI checks.

compliance-soc2-essentialssecrets-credentials+1