dadamssg Posted March 8, 2009 Share Posted March 8, 2009 im about to write a login/register script and was wondering what you guys thought of md5. its great for protecting the password but you can't email it back to them if they forget it. the website im building doesn't make the members put any real valuable information in their account and no harm but annoyance can come if someone does somehow get their password. so im thinking about not md5ing the password...thoughts? Link to comment https://forums.phpfreaks.com/topic/148414-thoughts-on-md5/ Share on other sites More sharing options...
PFMaBiSmAd Posted March 8, 2009 Share Posted March 8, 2009 The reasoning is that a lot of people use the same password and username for several different accounts and on shared hosting most databases can be seen by all the hosted accounts and can be brute force/dictionary lookup attacked. If someone breaks into your database and gets the passwords (and probably some other contact information - email, address, phone...) and they know or can find out anything about any of the members, they could use that password to log into other accounts. While it is not your responsibility if members use the same password on different accounts, it is your responsibility to keep their password secure on your server. Link to comment https://forums.phpfreaks.com/topic/148414-thoughts-on-md5/#findComment-779221 Share on other sites More sharing options...
dadamssg Posted March 8, 2009 Author Share Posted March 8, 2009 yeah thats very true. so instead of emailing them a forgotten password i should program a secret question so they can change it that way? you think that would be better? Link to comment https://forums.phpfreaks.com/topic/148414-thoughts-on-md5/#findComment-779224 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.