> -----Original Message----- > From: Thodoris [mailto:tgol@xxxxxxxxxx] > Sent: Friday, September 19, 2008 7:42 AM > To: info@xxxxxxx > Cc: php-general@xxxxxxxxxxxxx > Subject: Re: Adding encryption to passwords > > > > I use SHA-256 (use hash - php.net/manual/en/function.hash.php), > > because its a little bit more secure then md5 or SHA-1. > > > > BTW: Don't forget the salts.. > > > > Thanks for the feedback guys it was quite helpful. Be wary, though--the salt suggestion is good advice. It helps to avoid what is known as "rainbow cracking," where basically a dictionary is hashed and used to brute-force your encrypted hash by comparison. "Salt" is just a bit of extra text (a difficult combination to "guess") hashed in with the text you are crypting. I.e., imagine you have a function "hash()" which receives input text and generates a hash from it (md5, sha-1, whatever): $hashedText = hash("1-+ThiS/iS[[My&592SaLT!!/" . $textToHash); You could take it to the next level like phpBB does and lock it down further: $salt = "1-+ThiS/iS[[My&592SaLT!!/"; $hashedText = hash(hash($salt) . hash($salt . $textToHash) ...either example makes it much more difficult for a cracker than just hashing a dictionary and trying each result. HTH, Todd Boyd Web Programmer
