Jump to content

Recommended Posts

Yeah, it was my understanding that if you were to dynamically generate the salt (from the username or something), then MD5 is about as secure as you're going to get since brute force and rainbow attacks are extremely unlikely (as are collisions).  Here's an example of using the user ID as your salt:

 

$user = "jsmith";
$pswd = "cookies";
$pswd = md5($user.$password);

 

You could add to that the use of a Javascript dictionary checker, to make sure your users aren't using common words as their passwords.

 

You could also use the crypt() function, but, IIRC, that uses MD5/blowfish anyway (though it does generate a salt for you).  I've never used it, so I can't say for sure.

Link to comment
https://forums.phpfreaks.com/topic/152236-solved-md5/#findComment-799458
Share on other sites

Not much of a chance, but if your code has an exploit and someone can return the DB Values the password is not stored as hashed text. Thus anyone can get into anyone else's account. Hashing the password will make sure no one can ever see the password period. This is a huge security measure. I would have to signup for a site to find out my password is not hashed, because a lot of people tend to use the same password for other sites, so I basically just gave you a password you could use to exploit me.

 

I see it as a prevention from you or an admin on your end from going Rogue with the passwords.

Link to comment
https://forums.phpfreaks.com/topic/152236-solved-md5/#findComment-799514
Share on other sites

NOte, that for this method, whenever user changes their login, they have to reenter password as well.

 

That's true.  I guess it just depends on the situation, but it's probably a good idea to avoid that particular method if there's a chance of user logins changing values.

 

Is it's high chance that my passwords will be stolen from mysql if I don't use md5? I don't see anyway that others can steal it unless they can access to mysql database.

 

NEVER store passwords in plain text.  It's bad practice and asking for trouble, especially if you're new to PHP MySQL because it's entirely possible and more likely that you'll overlook something and allow a way into your code/database by mistake.  The use of MD5 or SHA1 or whatever is so easy that there's very little reason NOT to do it.

Link to comment
https://forums.phpfreaks.com/topic/152236-solved-md5/#findComment-799531
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.