From: Peter Beckman <beckman@xxxxxxxxxxxxx>
To: Julien Bonastre <julien@xxxxxxxxxxxxxxxx>
CC: php-db@xxxxxxxxxxxxx
Subject: Re: Storing Credit Cards, Passwords, Securely,
two-wayencryption
Date: Thu, 5 Jan 2006 22:53:30 -0500 (EST)
On Fri, 6 Jan 2006, Julien Bonastre wrote:
Any reason why you need to have reversible encryption on the password
value??
No... I just prefer to assume that if someone gets my DB, they might try
using user/pass pairs on banking sites, or paypal, or other ways, and if
I
can reversible encrypt the password, I can send them an email with their
password, rather than changing it to something obscure and force them to
change it again...
Though at this point, I just decided to md5 the password and call it good
enough. I'll just force them to change it if need be.
Really is the best way to handle it...change and force them to rechange when
logging in again..
May I recommend that you SALT the hash value by pre/appending a random
string to the value to prevent a straight dictionary attack.
Bastien
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
