I am trying to get a better understanding on Hashing and Encryption, however I stumbled upon questions that I can't seem to find in Google because Google keep offering basic difference of Hashing and Encryption, which I already read.
More over a lot of people ask in StackOverflow which have no idea about the difference between encryption and hashing gets to the top of the SO's search engine. Which doesn't answer my questions, and didn't help me. So I wanted to make sure a few things about hashing a password and encrypting one.
Now let's say I wanted to secure a new registered user..
After I get a 'safe' form of the password, I hash it.
$safePassword; // Already filled with safe password.
$hash = password_hash($safePassword,PASSWORD_ARGON2I);
Then insert it to database.
Now this is the where questions rises.
Do I still need to encrypt the hashed password?
If so, how do I securely encrypt the password? (I'm going to use AES)
AES_ENCRYPT(str, key_str);
Where str is the String that we wanted to encrypt and key_str is the encryption key.
Another question rises
key_str safe, so I can use it for further use (for authentication)?You don't need to encrypt the password, just running it through your password hash, like you included in your question, is perfectly fine. Hashing is a one-way operation, so it is "impossible" to reverse the hash and get the original password.
Encrypting passwords after hashing them doesn't make things any less secure, it just doesn't really make things any more secure either. It also introduces more problems - where to keep the key?
Stick to just Argon2, anything further is unnecessary.