Jump to content

password encryption

JeremyH

By JeremyH
in PHP Coding Help

 Share

Recommended Posts

JeremyH Newbie

JeremyH

Posted
Posted

Hi everyone,

 

Just was wondering what the best way of encrypting a password would be? I looked through the forums and found there where contradicting answers. I will be adding a salt too.

 

I have been told that a good method to make it more secure is too encrypt the salt, is this good?

 

Thanks,

 

JeremyH

Link to comment
Share on other sites
gizmola Prolific Member

gizmola

Posted
Posted

Ask a few people you will get a few different answers.  This topic has been beaten to death in numerous other threads.

 

-Use a hash.  A hash is not encryption.  It can not be decrypted.  That is the strength in using it.  The most commonly used hashes are md5() and sha1().    Since you brought up a salt, a hash is where a salt comes into play. 

-Yes use a salt.  And use a different salt for each row (saved in a seperate column for that purpose).  The point of a salt is that *if* your database were to be entirely compromised and someone was to have access to the complete database, using a salt for every different row makes the creation of a custom rainbow table pointless.  That is not to say that if there is one single account that they are interested in, they couldn't generate a custom rainbow table using that salt, but what ends up being impractical is generating a rainbow table in the hopes of getting hits on a number of different accounts.  It really doesn't matter what a salt is in this case -- but you want it to be random gibberish. 

 

One important thing to do is to enforce good passwords.  Require them to be a certain length, include numbers and/or special characters, and in general don't let people use simple words or their email address, login names etc.  This has nothing to do with encryption but is another hedge against disclosure after compromise, which assumes the worst.

 

One other thing to do, is make sure that your system detects bad passwords.  After a certain number of bad passwords are attempted within a short period of time, you should add additional barriers (different approaches include requiring a  captcha, slowing the attempt by a factor of seconds per bad attempt, or locking the account for a period of time after some reasonable threshold of consecutive bad attempts has been made.  This dissuades bot driven brute force hacking.

Link to comment
Share on other sites
JeremyH Newbie

JeremyH

Posted
  • Author
Posted

Thanks very much mate!

 

Have the md5 with an added salt to the end of it =)

 

Was just wondering weather it is a good idea to hash the salt to add in even more security? Or would it be a bad idea?

 

Thanks again!

 

JeremyH

Link to comment
Share on other sites
gizmola Prolific Member

gizmola

Posted
Posted

Thanks very much mate!

 

Have the md5 with an added salt to the end of it =)

 

Was just wondering weather it is a good idea to hash the salt to add in even more security? Or would it be a bad idea?

 

Thanks again!

 

JeremyH

 

It doesn't matter whether you hash the salt or not.  What's important is that when you hash the password, you add the salt to the plaintext: 

 

$savedpw = md5($pw . $salt);

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.