Re: [PHP] Is MD5 still considered safe for storing application user passwords?
- From: planetthoughtful@xxxxxxxxx (Murray)
- Date: Thu, 1 Jan 2009 00:41:06 +1000
Well, the idea would be to allow the person downloading and implementing the
application to choose their own salt value. That way, in theory, each
implementation of the application will be salting the hash algorithm with a
different value.
I guess, if you really wanted to get tricky, you could programatically
generate a random string on first run of the application and store it in a
background db or in your config file, so that you could be more certain that
the salt value from implementation to implementation was different.
M is for Murray
On Thu, Jan 1, 2009 at 12:12 AM, Jason Pruim <japruim@xxxxxxxxxx> wrote:
On Dec 31, 2008, at 5:36 AM, Richard Heyes wrote:
Hi,
...
You should also take into account how crucial your data is. If it's
nuclear launch codes I would say that you can't get enough security.
Howver if it's an admin system for Bobs local grocery store, then as
"Phpster" suggested, a salted hash may well be enough. For example,
you could use this:
<?php
$hash = md5($password . 'salt -
bhuyfuyftyfctujvikhgvbhjiftye5645rt68ty97tgifyvcu6yt7d');
?>
Correst me if I'm wrong... but assuming that your salt string is hard coded
into the program, with a MD5 a password + salt is no more secure then a
simple password?
Unless... When they log in, you store a MD5 hash of the salt in a separate
field in the database, and store it on in a cookie so it can be compared.
Or am I just missing something obvious like usual? :)
--
Jason Pruim
japruim@xxxxxxxxxx
616.399.2355
- References:
- Is MD5 still considered safe for storing application user passwords?
- From: Murray
- Re: [PHP] Is MD5 still considered safe for storing application user passwords?
- From: Phpster
- Re: [PHP] Is MD5 still considered safe for storing application user passwords?
- From: "Richard Heyes"
- Re: [PHP] Is MD5 still considered safe for storing application user passwords?
- From: Jason Pruim
- Is MD5 still considered safe for storing application user passwords?
- Prev by Date: Re: [PHP] Is MD5 still considered safe for storing application user passwords?
- Next by Date: Re: [PHP] Encryption/decryption of PHP data
- Previous by thread: Re: [PHP] Is MD5 still considered safe for storing application user passwords?
- Next by thread: Re: [PHP] Is MD5 still considered safe for storing application user passwords?
- Index(es):
Relevant Pages
|
