bottom line, last encryption post

[Ninjakreborn]

I think encryption/decryption has it's purposes, I studied it enough, the bottom line
should I store passwords in plain text to a database.
If not then I can go with hash, but I saw that the function is called
hash()
and the first parameter is the type sha1, you could use as a type instead of a standalone function, is this true, I also read sha1 has been decrypted somewhere, i will show a link later.
So if I hash something how do I match the text passwords up to see if there the same, is there anychance of it being wrong.

[Ninjakreborn]

http://www.md5encryption.com/
http://weblogs.asp.net/pleloup/archive/2003/07/09/9851.aspx

[boralyl]

I would use a salt with whatever hashing algorithm you use.  For example:
[code]
<?php
$password = "bob";
srand( microtime( true ) );

/*Variable initialization*/
$salt_template = "0123456789ABCDEF";
$salt = '';
/*Create a random string with template of length 10*/
for ( $i = 0; $i < 10; $i++ )
{
$salt .= substr( $salt_template, rand() % 16, 1 );
}
$hash = md5( $password . $salt ) . $salt;
?>
[/code]

Then to compare it to the plain text..
[code]
<?php
//The user entered bob which is the variable $password
$password = $_POST['password'];
//get pw in db
$pw = ...from db query...
$salt = substr( $pw, -10 );
if(md5($password.$salt).$salt) == $pw)
echo 'golden'
else
die()
?>
[/code]

[Ninjakreborn]

Way too over my head
[code]<?php
$password = "bob";
srand( microtime( true ) );

/*Variable initialization*/
$salt_template = "0123456789ABCDEF"; // this
$salt = ''; // this
/*Create a random string with template of length 10*/
for ( $i = 0; $i < 10; $i++ ) // this
{
$salt .= substr( $salt_template, rand() % 16, 1 );
}
$hash = md5( $password . $salt ) . $salt;
?>[/code]
I don't understand, I see those $i = 0, X0212
whatever I see that a lot but I have never had to use anythign like that what is it, and the salt template, won't I have a build a different template for each one, or could I use the first 2 letters of the username as salt.

[zq29]

In my opinion, you should [i]never[/i] store passwords in plain text form.
[quote]the first parameter is the type sha1, you could use as a type instead of a standalone function, is this true, I also read sha1 has been decrypted somewhere[/quote]I don't quite understand what you mean there, but yes, you can either use the sha1() function, or as an algorythm type within hash(). From what I have read, SHA-1 [i]has[/i] been cracked, but not in a way that is totaly useful. I think it requires a technique similar to brute-forcing, but based on collisions.
[quote]So if I hash something how do I match the text passwords up to see if there the same, is there anychance of it being wrong.[/quote]You hash the string and match it against the stored hash of the password.

[Ninjakreborn]

http://us3.php.net/manual/en/function.hash.php
string hash ( string algo, string data [, bool raw_output] )

so
hash("md5", $data,);
question 1- should I set the 3rd parameter to true or false, when I choose the algorithm can i use it all through hash
examples
[code]hash("sha1", $data);
hash("md4", $data);
hash("sha256", $data);[/code]
Is this logical, also when I look at the functions in the manual, there is no where to provide salt at, where would the salt come in.