Securing My Password Field Better...

[trg86]

Good afternoon all, I am currently using md5 on my password field for my login processor, but I know I can secure this better. I was given advice the other day to use a hash, but I am not quite sure how to do it. Here is a relevant snippet from my code, I am open to all suggestions! Thanks!

 

//
//User Login
//
session_start();

$username = $_POST['username']; //Username
$password = md5($_POST['password']); //Password

$query = "SELECT * FROM users WHERE username='" .
mysql_real_escape_string($username) .
"' AND password='$password'";
$result = mysql_query($query);

if (mysql_num_rows($result) != 1) {
$error = "Invalid login, Please check your credentials and try again";
include "login.html";
} else {
$_SESSION['username'] = $username;
include "main_interface.php";
}
?>

Edited October 29, 2012 by trg86

[jcbones]

I wouldn't use md5 as it is easily broken through look up tables. I think todays standards are sha1 or better, some even going to crypt. Whatever you decide, use a salt. Very important.

[trg86]

I wouldn't use md5 as it is easily broken through look up tables. I think todays standards are sha1 or better, some even going to crypt. Whatever you decide, use a salt. Very important.

 

Yeah, I was actually just doing some research on this, it looks like a Sha1/Salt setup is the way to go.

[Christian F.]

For this you really should read this article on secure login systems, as it'll tell you everything you need to know.