On Wed, Jul 8, 2009 at 10:44 AM, Andrew Ballard<aballard@xxxxxxxxx> wrote: > On Wed, Jul 8, 2009 at 9:48 AM, Martin Scotta<martinscotta@xxxxxxxxx> wrote: >> $sql = 'SELECT * FROM your-table WHERE username = \''. $username .'\' >> and passwd = md5( concat( \'' . $username .'\', \'@\', \'' . $password >> .'\'))'; >> >> I use this solution because md5 run faster in Mysql >> >> >> >> >> -- >> Martin Scotta >> > > If you were running a loop to build a rainbow table or brute-force a > password, I could see where that would matter. For authenticating a > single user it seems like premature optimization to me. On my > development machine, where PHP runs slow inside of the IDE, the > average time to perform an md5 hash on a text string of 38 characters > (much longer than most passwords) over 10000 iterations is around > 0.00085 seconds. I can live with that. :-) I still like handling the > encryption in PHP and then passing the encrypted value to the database > for storage/comparison. > > Andrew > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > You shouldn't be using md5 or sha1 to hash passwords as both have been attacked and successfully exploited. There are other hashing functions in PHP that you should use. And FWIW, you WANT hashing to be slow. The faster it is, the less complicated the algorithm is (assuming all implementations are equal), the more easy it is to break. And if you're storing hashed passwords as a means of verification, SALT THEM FOR CHRIST'S SAKE. //somewhere where you can access it several places, like config.php define('SALT', '2435kh4bj@#$@#14asdnaksa10=nsdf'); //random characters, the longer and more random, the better. If it was email compatible, I'd have given a "real" salt read out of /dev/random at some point, like you should be doing. //prepare the password $password = $_POST['password'] . SALT; $password = hash('sha512', $password); //assume you've validated $_POST['password'] //query the database to make sure the password is the right one $stmt = $db->prepare('SELECT password FROM users WHERE user_name=?); $stmt->bindParam(1, $password); list($dbPass) = $stmt->fetch(); if($dbPass == $password) { echo 'success'; } else { echo 'failure'; } The reason you salt passwords, especially with binary characters, is that without knowing what the salt is, it's nearly impossible to create a rainbow table and run rainbow table attacks on your database. It costs nearly nothing to do, in terms of resource usage and any sort of human comprehensible scheme to store those hashes is easily broken. I've seen "{$user}{$randomCharacter}{$password}" used before, and I'd never recommend something so simple. --Eddie -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
