As far as I understand those things, you have to salt first, and then hash it - and not just md5, but really a lot of them mixed. It's a good idea to use someone else's security script, also.
twiss
Veteran Poster
1,005 posts since Apr 2010
Reputation Points: 177
Solved Threads: 101
You shouldn't encrypt passwords, you should hash them.
twiss
Veteran Poster
1,005 posts since Apr 2010
Reputation Points: 177
Solved Threads: 101
OK. What you need to do:
At password creation (registration or change)
- create a random salt (for example f4i, or whatever, it doesn't have to be long)
- insert into the database $salt . sha1($salt . $password) or $salt . sha1($salt . md5($salt . $password)) , whatever you like. It's best to create or use some function that uses as many md5 and sha1's as possible, perhaps 1000 or 5000 (something that takes a second or 2).
At login, retrieve the password from the database, get the first 3 (salt length) characters, calculate the same (above) and check if it matches.
Again, there are scripts available that do this for you and perhaps even more smart thing I can't think of.
twiss
Veteran Poster
1,005 posts since Apr 2010
Reputation Points: 177
Solved Threads: 101
You shouldn't hash the username, only the password, if that's what you're asking.
twiss
Veteran Poster
1,005 posts since Apr 2010
Reputation Points: 177
Solved Threads: 101
No, you should protect the database with a password, and make it accessible from localhost only. But if you're on a shared host that's most of the times been done already for you.
twiss
Veteran Poster
1,005 posts since Apr 2010
Reputation Points: 177
Solved Threads: 101
And, if you can, it's best to disable phpmyadmin and the like if your site goes live.
twiss
Veteran Poster
1,005 posts since Apr 2010
Reputation Points: 177
Solved Threads: 101
