Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    New Coder
    Join Date
    Dec 2008
    Posts
    34
    Thanks
    5
    Thanked 0 Times in 0 Posts

    Question Storing Passwords - MD5 or AES?

    Hi,

    I'm working on create user & logon pages, that will store/retrieve the users details in a mysql database. I was initially going to use aes_encrypt to store the passwords, as its 128bit, so secure, then use aes_decrypt to retrieve the passwords, in the event that a user forgets a password, and wants it mailed to them.

    However, after reading through some posts, I'm thinking that maybe I should drop the idea of using aes, and just use MD5 to hash the password. Some of the threads I've read suggest that if a user forgets a password, rather than decrypting the password, they can just have a new random password emailed to them instead of their old one.

    What are everyones thoughts on this? Is there any compelling reason to use one over the other, speed, ease of use etc?

    Any comments or suggestions would be much appreciated.

    Ben

  • #2
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    I would go with something better than md5. I do agree that a random password could be generated for them. I also believe passwords shouldn't be emailed to users just for security reasons. Maybe sha1 with some salting or maybe something like sha512 if your server supports it. If you are running php5 you can use the hash function. There is an example on the comments that shows the time it takes to digest a string.
    PHP Code:
    <?php
    $algos 
    hash_algos();
    $word="hola";

    foreach(
    $algos as $algo)
    {
        echo 
    $algo.": ";
        
    $time=microtime(1);
        echo 
    hash($algo$word);
        echo 
    "<br>".(microtime(1)-$time)."<br><hr>";
    }
    ?>
    Just remember to make sure your field is large enough to store the entire password.
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • #3
    New Coder
    Join Date
    Dec 2008
    Posts
    34
    Thanks
    5
    Thanked 0 Times in 0 Posts

    Thumbs up

    Thanks for the reply.

    What are you thoughts on md5 with salting? Maybe with something unique to the user as well, such as the username or email, so stored password = md5("$username.$password"). This way each stored password is unique to the user, so even if someone were to attack the database, they'd only be able to crack passwords one at a time.

    Or should I still go with sha1?

    Thanks

    Ben


  •  

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •