2009/2/9 Stuart <stuttle@xxxxxxxxx>: > 2009/2/9 Michael Kubler <mdkknd@xxxxxxxxx>: >> These days SHA should really be used instead of MD5, and you should be >> SALTing the password as well. >> Here's a great guide : http://phpsec.org/articles/2005/password-hashing.html > > Good advice. Absolutley. I used mysqls md5() function only as an example. > I would also advise against stripping and trimming > anything from passwords. By removing characters you're significantly > reducing the number of possible passwords. Surely, the stripping should only be done when when magic_quotes is enabled! (e.g. Your Server makes \' out of '). Trimming could be left out but it minimizes user errors and users pretending to know their password. (Like copy/paste from a passwords-file with added spaces on the end, etc..) Regards -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
