On Wed, 2007-01-17 at 13:51 -0500, Oscar Gosdinski wrote:
> Instead of hashing the password, i prefer to use the following procedure:
>
> $user = ...
> $password = ...
> $hash = md5($user . $password);
>
> Using this method, it will be very dificult guess the password if you
> get the hash because it depends also on the user name.
>
> When you are going to login a user you have to check the hash stored
> in the database against the result of applying the md5 function on the
> result of concatenating the user name and the password provided by the
> user.
>
> if ($db_hash == md5($user . $password)) {
> // logged
> } else {
> //error
> }
Yep, never a good idea to just rote md5() the password. Best to add a
sprinkle of salt, that way you avoid precomputed lookups. For instance
if you're server ever got compromised and the attacker got your md5
passwords, if they already had a precomputed database then finding the
reverse of the hash would be trivial.
Cheers,
Rob.
--
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
