Instead of hashing the password, i prefer to use the following procedure:
$user = ...
$password = ...
$hash = md5($user . $password);
Using this method, it will be very dificult guess the password if you
get the hash because it depends also on the user name.
When you are going to login a user you have to check the hash stored
in the database against the result of applying the md5 function on the
result of concatenating the user name and the password provided by the
user.
if ($db_hash == md5($user . $password)) {
// logged
} else {
//error
}
On 1/17/07, tedd <tedd@xxxxxxxxxxxx> wrote:
That's also the way hackers break it, namely take the hash and use a
reverse dictionary to look-up the password. While the MD5 hash is
non-reversible, it produces a unique string.
If people use simple passwords, then the hash is pretty simple to
break. As people become more aware of how simple it is to break their
passwords, their passwords will become more complex. However, reverse
dictionaries will also become larger as processing speeds increase --
and the cycle continues.
So, the amount of security that MD5 provides is really dependant upon the user.
--
Saludos
Oscar
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
