[SOLVED] md5

[sungpeng]

Check is md5 really needed for all password? Is it that secure?

[revraz]

Salt it and it is.

 

What other options are you considering?  You can use SHA1 too.  Just don't use plain text.

[Yesideez]

...and give each user theor own unique salt.

[moonlightinred]

Yeah, it was my understanding that if you were to dynamically generate the salt (from the username or something), then MD5 is about as secure as you're going to get since brute force and rainbow attacks are extremely unlikely (as are collisions).  Here's an example of using the user ID as your salt:

 

$user = "jsmith";
$pswd = "cookies";
$pswd = md5($user.$password);

 

You could add to that the use of a Javascript dictionary checker, to make sure your users aren't using common words as their passwords.

 

You could also use the crypt() function, but, IIRC, that uses MD5/blowfish anyway (though it does generate a salt for you).  I've never used it, so I can't say for sure.

[Mchl]

NOte, that for this method, whenever user changes their login, they have to reenter password as well.

 

And if you need other algorithms, see hash

[sungpeng]

Is it's high chance that my passwords will be stolen from mysql if I don't use md5? I don't see anyway that others can steal it unless they can access to mysql database.

[premiso]

Not much of a chance, but if your code has an exploit and someone can return the DB Values the password is not stored as hashed text. Thus anyone can get into anyone else's account. Hashing the password will make sure no one can ever see the password period. This is a huge security measure. I would have to signup for a site to find out my password is not hashed, because a lot of people tend to use the same password for other sites, so I basically just gave you a password you could use to exploit me.

 

I see it as a prevention from you or an admin on your end from going Rogue with the passwords.

[moonlightinred]

NOte, that for this method, whenever user changes their login, they have to reenter password as well.

 

That's true.  I guess it just depends on the situation, but it's probably a good idea to avoid that particular method if there's a chance of user logins changing values.

 

Is it's high chance that my passwords will be stolen from mysql if I don't use md5? I don't see anyway that others can steal it unless they can access to mysql database.

 

NEVER store passwords in plain text.  It's bad practice and asking for trouble, especially if you're new to PHP MySQL because it's entirely possible and more likely that you'll overlook something and allow a way into your code/database by mistake.  The use of MD5 or SHA1 or whatever is so easy that there's very little reason NOT to do it.