I'm not really sure where to post this topic... it touches on MySQL, PHP, Javascript, and best practices.
I want to force users to update their password after 90 days. I can force them to the update page no problemo, but I'm having troubles forcing them to pick a new password, something different than what they have already stored in the database.
Currently when a user registers for an account on my site, the password is passed in plain text and I let the MySQL Password() function hash it (I've come to understand this is bad practice). This makes it kind of difficult, because I am having a hard time verifying their new, plain text entry on the update page to the Password() hashed old one.
The closest I've gotten is this:
<script type="text/javascript">
function newpassword() {
var oldpw = "<?php echo $XXXXXX->UserPassword; ?>";
var newpw = "<?php echo '*' . strtoupper(sha1(pack('H*',sha1('<script type="text/javascript">document.write(document.FORMNAME["UserPassword"].value);</script>'))));?>";
....
</script>
And I would then compare the two variables. I'm wondering if this is even possible. I've seen a few suggestions online using UNHEX or CryptoJS, but when I use those functions my page loads with nothing on it.
I've thought about passing the value as a md5 hashed value, and just storing that in the database instead, but I've read a bit that md5 isn't very secure anymore.
I'm kind of at a loss of what to do at this point. Any help/guidance?