User passwords for login

moos3 · 08-20-2007, 09:48 PM

I'm trying to figure out the best way to store them. in my database? sha or md5 or something else.

PappaJohn · 08-20-2007, 10:06 PM

I typically hash them using sha1(), it is somewhat more secure than md5.

wordnerd · 08-20-2007, 11:29 PM

For what it's worth, I also always store passwords as sha1() hashes. VARCHAR(40) holds them nicely.

fl00d · 08-21-2007, 06:20 AM

hmm I use MD5(). I've just thought up an idea to double MD5 encryption. Have the password hashed once, and then the hashed value hashed again. I'm about to test it out and see how easy it would be to crack an hash that also has a hash value. My instinct tells me it would be fairly easy to crack but I'll find out for sure

westmatrix99 · 08-21-2007, 02:51 PM

Sorry for this odd question but does your site actually get cracked? (not hacked but cracked)
What would they gain?
I mean your'e not a bank or anything are you?

Inigoesdr · 08-21-2007, 03:00 PM

Quote:

Originally Posted by fl00d

hmm I use MD5(). I've just thought up an idea to double MD5 encryption. Have the password hashed once, and then the hashed value hashed again.

vBulletin uses something similar to that, with a random salt added.

Quote:

Originally Posted by westmatrix99

Sorry for this odd question but does your site actually get cracked? (not hacked but cracked)
What would they gain?
I mean your'e not a bank or anything are you?

It doesn't matter.. no one wants their site cracked. Whether you run a bank or a blog, it's always a bad thing.

westmatrix99 · 08-21-2007, 03:03 PM

Ok it's personal preference.

Inigoesdr · 08-21-2007, 03:08 PM

It shouldn't be personal preference. You have an implied responsibility to do the most you can to protect your users' personal information.

westmatrix99 · 08-21-2007, 03:14 PM

All I am saying is that unless you are a bank or store some serious information then hashing and bashing makes no sense.

Ok what you say is true that you should protect the data but trying to crack a website is childish.

It's never happened to me. ("touch wood")
I would love to see someone try and crack my site and hear how long it took them to figure out that they can't.

Inigoesdr · 08-21-2007, 03:16 PM

Quote:

Originally Posted by westmatrix99

All I am saying is that unless you are a bank or store some serious information then hashing and bashing makes no sense.

Ok what you say is true that you should protect the data but trying to crack a website is childish.

It's never happened to me. ("touch wood")
I would love to see someone try and crack my site and hear how long it took them to figure out that they can't.

No offense, but just because it's childish doesn't mean people won't do it.
And I seriously doubt that your site can't be cracked. If it's connected to the internet, then there's a way to get to it.

westmatrix99 · 08-21-2007, 03:21 PM

Cool cheers.

rafiki · 08-21-2007, 03:28 PM

i sha1() passwords all the time probably always will.

Inigoesdr · 08-21-2007, 03:34 PM

I call your sha1() and raise you hash('sha256', $string);

rafiki · 08-21-2007, 03:38 PM

fold.

lol

moos3 · 08-21-2007, 07:04 PM

I'm going to do the following

PHP Code:


			
$temp = sha1($passwd);

$password = md5($temp);

$salt = substr(md5(uniqid(rand(), true)), 0, 5);

$secure_password = md5($salt . md5($password));

Suggestions?