Password Encrypting.

[Andy11548]

Whats the best way to encrypt passwords?

 

Would something like this work?

 

crypt(sha1($salt.md5($salt).'hello'.sha1($salt)), $salt)

[litebearer]

What happened when you tried it?

[Andy11548]

It works fine, I'm just wondering if it will be secure.

[laffin]

sha1/md5 is not encryption, it's a hashing system.

 

Hashing systems work great for passwords and such because you cant reverse it to get the original.

Security is dependent on your script against various attacks.

 

I can store my passwords in plain text, and still be secure. But I have to know a few things about it's usage environment.

1) Dedicated Server

2) Limited Remote MySQL logins (Sometimes I add remote admin users to the MySQL server)

3) I santize/validate external data that gets put into the database

 

Just because a password is encrypted/hashed does not mean secure.

 

[Andy11548]

Yeah, but passwords can be harder to get back to its origional state than others.

 

I can decrypt a MD5 hash in seconds, so MD5 isn't too good to use on its own.

 

I know the security is about your other things, but I want to know if it's a good way to hash a password for extra security.

[laffin]

It provides no real extra security, if you have issues of ppl getting the hash, than thats more of a security leak.

As I said, I can store all sorts of sensitive information in plain text, as long as I was fairly positive that my script handle the security of external data coming in was sanitized properly.

Or that data was going to be handled by non privlidged class users, than I would store data encrypted/hashed.

 

My point was that if you think that md5/sha1 provides security, it doesnt, your script provides security, md5/sha1 just provides a quick check of data without exposing the plain text data

[Stooney]

hash('sha512', $string);

 

That's still pretty secure.