...

View Full Version : User passwords for login



moos3
08-20-2007, 09:48 PM
I'm trying to figure out the best way to store them. in my database? sha or md5 or something else.

PappaJohn
08-20-2007, 10:06 PM
I typically hash them using sha1(), it is somewhat more secure than md5.

wordnerd
08-20-2007, 11:29 PM
For what it's worth, I also always store passwords as sha1() hashes. VARCHAR(40) holds them nicely.

fl00d
08-21-2007, 06:20 AM
hmm I use MD5(). I've just thought up an idea to double MD5 encryption. Have the password hashed once, and then the hashed value hashed again. I'm about to test it out and see how easy it would be to crack an hash that also has a hash value. My instinct tells me it would be fairly easy to crack but I'll find out for sure :)

westmatrix99
08-21-2007, 02:51 PM
Sorry for this odd question but does your site actually get cracked? (not hacked but cracked)
What would they gain?
I mean your'e not a bank or anything are you?

Inigoesdr
08-21-2007, 03:00 PM
hmm I use MD5(). I've just thought up an idea to double MD5 encryption. Have the password hashed once, and then the hashed value hashed again.
vBulletin uses something similar to that, with a random salt added.


Sorry for this odd question but does your site actually get cracked? (not hacked but cracked)
What would they gain?
I mean your'e not a bank or anything are you?

It doesn't matter.. no one wants their site cracked. Whether you run a bank or a blog, it's always a bad thing.

westmatrix99
08-21-2007, 03:03 PM
Ok it's personal preference.

Inigoesdr
08-21-2007, 03:08 PM
It shouldn't be personal preference. You have an implied responsibility to do the most you can to protect your users' personal information.

westmatrix99
08-21-2007, 03:14 PM
All I am saying is that unless you are a bank or store some serious information then hashing and bashing makes no sense.

Ok what you say is true that you should protect the data but trying to crack a website is childish.

It's never happened to me. ("touch wood")
I would love to see someone try and crack my site and hear how long it took them to figure out that they can't.

Inigoesdr
08-21-2007, 03:16 PM
All I am saying is that unless you are a bank or store some serious information then hashing and bashing makes no sense.

Ok what you say is true that you should protect the data but trying to crack a website is childish.

It's never happened to me. ("touch wood")
I would love to see someone try and crack my site and hear how long it took them to figure out that they can't.

No offense, but just because it's childish doesn't mean people won't do it.
And I seriously doubt that your site can't be cracked. If it's connected to the internet, then there's a way to get to it.

westmatrix99
08-21-2007, 03:21 PM
Cool cheers.

rafiki
08-21-2007, 03:28 PM
i sha1() passwords all the time probably always will.

Inigoesdr
08-21-2007, 03:34 PM
I call your sha1() and raise you hash('sha256', $string);

rafiki
08-21-2007, 03:38 PM
fold. :( lol

moos3
08-21-2007, 07:04 PM
I'm going to do the following


$temp = sha1($passwd);
$password = md5($temp);
$salt = substr(md5(uniqid(rand(), true)), 0, 5);
$secure_password = md5($salt . md5($password));


Suggestions?

PappaJohn
08-21-2007, 07:09 PM
And when the user logs-in, how are you going to verify their password since $salt will be different each time?

moos3
08-21-2007, 07:10 PM
That is a true.

Inigoesdr
08-21-2007, 07:38 PM
Store the salt in a variable or generate it from something static.
You can embed the functions like this too:

$secure_password = md5($salt . md5(md5(sha1($passwd))));
Although, it's probably better to use a hash algorithm with a higher rating instead of re-hashing it multiple times.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum