sungpeng Posted April 2, 2009 Share Posted April 2, 2009 Check is md5 really needed for all password? Is it that secure? Quote Link to comment https://forums.phpfreaks.com/topic/152236-solved-md5/ Share on other sites More sharing options...
revraz Posted April 2, 2009 Share Posted April 2, 2009 Salt it and it is. What other options are you considering? You can use SHA1 too. Just don't use plain text. Quote Link to comment https://forums.phpfreaks.com/topic/152236-solved-md5/#findComment-799422 Share on other sites More sharing options...
Yesideez Posted April 2, 2009 Share Posted April 2, 2009 ...and give each user theor own unique salt. Quote Link to comment https://forums.phpfreaks.com/topic/152236-solved-md5/#findComment-799453 Share on other sites More sharing options...
moonlightinred Posted April 2, 2009 Share Posted April 2, 2009 Yeah, it was my understanding that if you were to dynamically generate the salt (from the username or something), then MD5 is about as secure as you're going to get since brute force and rainbow attacks are extremely unlikely (as are collisions). Here's an example of using the user ID as your salt: $user = "jsmith"; $pswd = "cookies"; $pswd = md5($user.$password); You could add to that the use of a Javascript dictionary checker, to make sure your users aren't using common words as their passwords. You could also use the crypt() function, but, IIRC, that uses MD5/blowfish anyway (though it does generate a salt for you). I've never used it, so I can't say for sure. Quote Link to comment https://forums.phpfreaks.com/topic/152236-solved-md5/#findComment-799458 Share on other sites More sharing options...
Mchl Posted April 2, 2009 Share Posted April 2, 2009 NOte, that for this method, whenever user changes their login, they have to reenter password as well. And if you need other algorithms, see hash Quote Link to comment https://forums.phpfreaks.com/topic/152236-solved-md5/#findComment-799477 Share on other sites More sharing options...
sungpeng Posted April 2, 2009 Author Share Posted April 2, 2009 Is it's high chance that my passwords will be stolen from mysql if I don't use md5? I don't see anyway that others can steal it unless they can access to mysql database. Quote Link to comment https://forums.phpfreaks.com/topic/152236-solved-md5/#findComment-799506 Share on other sites More sharing options...
premiso Posted April 2, 2009 Share Posted April 2, 2009 Not much of a chance, but if your code has an exploit and someone can return the DB Values the password is not stored as hashed text. Thus anyone can get into anyone else's account. Hashing the password will make sure no one can ever see the password period. This is a huge security measure. I would have to signup for a site to find out my password is not hashed, because a lot of people tend to use the same password for other sites, so I basically just gave you a password you could use to exploit me. I see it as a prevention from you or an admin on your end from going Rogue with the passwords. Quote Link to comment https://forums.phpfreaks.com/topic/152236-solved-md5/#findComment-799514 Share on other sites More sharing options...
moonlightinred Posted April 2, 2009 Share Posted April 2, 2009 NOte, that for this method, whenever user changes their login, they have to reenter password as well. That's true. I guess it just depends on the situation, but it's probably a good idea to avoid that particular method if there's a chance of user logins changing values. Is it's high chance that my passwords will be stolen from mysql if I don't use md5? I don't see anyway that others can steal it unless they can access to mysql database. NEVER store passwords in plain text. It's bad practice and asking for trouble, especially if you're new to PHP MySQL because it's entirely possible and more likely that you'll overlook something and allow a way into your code/database by mistake. The use of MD5 or SHA1 or whatever is so easy that there's very little reason NOT to do it. Quote Link to comment https://forums.phpfreaks.com/topic/152236-solved-md5/#findComment-799531 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.