Hazukiy Posted May 2, 2013 Share Posted May 2, 2013 Hi, I'm just wondering but what is the best of best kind of encryption that you can get when encrypting passwords? Like what does Facebook use? Thanks Quote Link to comment Share on other sites More sharing options...
oaass Posted May 3, 2013 Share Posted May 3, 2013 I would say that 12 rounds of blowfish with a salt generated by openssl_pseudo_random_bytes or mcrypt_create_iv for strong entropy should work fine... But remember. Nothing is stronger than its weakest link. So don't forget to enforce good password rules as well Quote Link to comment Share on other sites More sharing options...
Yohanne Posted May 3, 2013 Share Posted May 3, 2013 this is my way public function cleared($data) { $data = trim(htmlentities(strip_tags($data))); if(get_magic_quotes_gpc()) { $data = stripslashes($data); $data = mysql_real_escape_string($data); } return $data; } public function set_post() { foreach($_POST as $key => $values) { $my_POST[$key] = $this->cleared($values); } } $pass = $this->set_post(substr(sha1($this->set_post->$my_POST['pass']),18,7); public function login_() { $cheked_user->set_result("SELECT pass FROM tbl_user_ WHERE pass = '$pass'"); } Quote Link to comment Share on other sites More sharing options...
DaveyK Posted May 3, 2013 Share Posted May 3, 2013 You should ask yourself what the kind of security you need. You can do whatever you want, adding hashes and encryptions as many times as you like: but does it add value? I would use the PHP function crypt(). Quote Link to comment Share on other sites More sharing options...
Hazukiy Posted May 3, 2013 Author Share Posted May 3, 2013 You should ask yourself what the kind of security you need. You can do whatever you want, adding hashes and encryptions as many times as you like: but does it add value? I would use the PHP function crypt(). Ah ok, thanks. Quote Link to comment Share on other sites More sharing options...
ecce Posted May 3, 2013 Share Posted May 3, 2013 This is what I use: 0. Sanitise input. addslashes() or whatever you like. If someone would like HTML code as password - why not? 1. Generate a salt, with something like $salt = hash('sha256', microtime()); 2. Add salt to the chosen password. $password = $input_password.$salt; 3. Hash it. $pass_hash = hash('sha256', $password); 4. Store $pass_hash and $salt. Hashing protects you if someone dumps your user database. Don't forget the UNENCRYPTED TRANSFER of password... webmasters normally ignores the importance of buying a valid SSL certificate. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.