Re: [PHP] Is MD5 still considered safe for storing application user passwords?

From: japruim@xxxxxxxxxx (Jason Pruim)
Date: Wed, 31 Dec 2008 09:12:42 -0500

On Dec 31, 2008, at 5:36 AM, Richard Heyes wrote:

Hi,

...

You should also take into account how crucial your data is. If it's
nuclear launch codes I would say that you can't get enough security.
Howver if it's an admin system for Bobs local grocery store, then as
"Phpster" suggested, a salted hash may well be enough. For example,
you could use this:

<?php
$hash = md5($password . 'salt -
bhuyfuyftyfctujvikhgvbhjiftye5645rt68ty97tgifyvcu6yt7d');
?>

Correst me if I'm wrong... but assuming that your salt string is hard coded into the program, with a MD5 a password + salt is no more secure then a simple password?

Unless... When they log in, you store a MD5 hash of the salt in a separate field in the database, and store it on in a cookie so it can be compared.

Or am I just missing something obvious like usual? :)

--
Jason Pruim
japruim@xxxxxxxxxx
616.399.2355

Follow-Ups:
- Re: [PHP] Is MD5 still considered safe for storing application user passwords?
  - From: "Richard Heyes"
- Re: [PHP] Is MD5 still considered safe for storing application user passwords?
  - From: Murray

References:
- Is MD5 still considered safe for storing application user passwords?
  - From: Murray
- Re: [PHP] Is MD5 still considered safe for storing application user passwords?
  - From: Phpster
- Re: [PHP] Is MD5 still considered safe for storing application user passwords?
  - From: "Richard Heyes"

Prev by Date: Re: [PHP] Since I speak with some of you more than people I see in person....
Next by Date: Re: [PHP] Is MD5 still considered safe for storing application user passwords?
Previous by thread: Re: [PHP] Is MD5 still considered safe for storing application user passwords?
Next by thread: Re: [PHP] Is MD5 still considered safe for storing application user passwords?
Index(es):
- Date
- Thread

Relevant Pages

Re: UserNameToken with SendNone on Password
... >> machine key store. ... > see the salt length as adding security. ... You should only return a SCT if you authenticate with correct ... The code clearly indicates where the validation should take place. ...
(microsoft.public.dotnet.framework.webservices.enhancements)
Re: Password checking theorical question
... This is IMHO the best way to store password tokens for future ... verification and requires no secret keys. ... B = Number of bits of salt to use ... - the Salt makes the space-complexity of a dictionary attack 2^B ...
(sci.crypt)
Re: Hidden Application Data
... The reason I want to hide the user's credentials is not from the user ... If you must keep things locally then do not store the ... For a new application you should use SHA-256 as the hash. ... cryptographic salt seehttp://en.wikipedia.org/wiki/Salt_. ...
(microsoft.public.dotnet.languages.csharp)
Confused by salt
... I hope someone can help clear my confusion. ... time back that used a hash function to store a password. ... advised me that I really ought to use a salt with this in order to add ...
(sci.crypt)
Re: [PHP] Is MD5 still considered safe for storing application user passwords?
... the salt value from implementation to implementation was different. ... Howver if it's an admin system for Bobs local grocery store, ... a salted hash may well be enough. ... you store a MD5 hash of the salt in a separate ...
(php.general)