I would like to add some info about storing the password hash in the
database.
I recently tested how quickly one can brute force a simple md5('foo')
hash with a modern GPU. The results have been truly eye opening....
I have been able to break hundreds of hashes with my ATI 6870 in a
couple of days. Even with passwords in the 8 char length range ... and
even salted ones.
The problem is that md5 is optimized for speed. Which is nice if you
want to hash a file but it offers an attacker the option to brute force
your password.
The solution is to hash multiple times and if possible using a different
hashing algorithm.
http://php.net/crypt can help you here.
I wrote a new password class for my own projects which will use crypt()
with sha512, sha256, blowfish if available or fall back to a 3000 round
md5().
This approach makes it impractical to bruteforce the hash because every
single test will have to run md5() 3000 times before it can validate a
single hash.
This also adds a delay to the login process but the hash is only checked
once....
The code is released under the BSD license so you may use it in a
commercial application as well. The zip contains the class file and two
sample pages demonstrating how to use the class.
Here is a download link, let me know if you like it or have any questions.
http://www.2shared.com/file/kocAJ2HO/class_password.html
md5: 4ee41496a9d1bc147e5025699e2b764e class_password.zip
--
John
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
