Need help with a login page problem

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
phice
Moderator
Posts: 1416
Joined: Sat Apr 20, 2002 3:14 pm
Location: Dallas, TX
Contact:

Post by phice »

greenhorn666 wrote:

Code: Select all

$password = md5($password);
What the heck do you think you are doing?
crypting the password? because you are NOT!!!
md5 produces a non-readable value for the password, thus crypting it. :) No need to use all caps, either. Thanks.
Image Image
User avatar
greenhorn666
Forum Commoner
Posts: 87
Joined: Thu Aug 14, 2003 7:14 am
Location: Brussels, Belgium

Post by greenhorn666 »

It does result in a "non-readable value for the password" in some way, while it isn't the password crypted, it is an hash value for the password...
The thing is in order to encrypt well enough you need to seed your encryption... Hence the crypt() function. You should try a lookup on google on md5 hash password encryption, and you'll see what security experts think about it... It is indeed harder than plain text password (while don't forget that the password goes uncrypted over the network), but the point in crypting password is to protect your password list (à la /etc/passwd, /etc/shadow) to get stolen. Using MD5 hash values as password isn't securing them; anyone could break them in about hours...
And 2nd point, never should 2 same password produce the same encrypted (hence the salt), and you don't get this with the MD5() alone!

I think in this case uppercase where more than welcome, secutiry doesn't come thru obscuration and when I see someone coding this I think he has to know he is doing pretty much wrong!
User avatar
genetix
Forum Contributor
Posts: 115
Joined: Fri Aug 01, 2003 7:40 pm
Location: Sask, Regina
Contact:

Post by genetix »

What about the default options you get from mysql? The encript() and decript() functions? Are those any good? Some people say they arn't
User avatar
d-m
Forum Commoner
Posts: 31
Joined: Fri Aug 29, 2003 4:24 pm
Location: Rio de Janeiro - RJ - Brasil

Post by d-m »

If you wanna a simple thing you can even use the :
base64_encode() and base64_decode()
:lol:
User avatar
genetix
Forum Contributor
Posts: 115
Joined: Fri Aug 01, 2003 7:40 pm
Location: Sask, Regina
Contact:

Post by genetix »

never heard of that. Is it the same as encode() decode()???
User avatar
genetix
Forum Contributor
Posts: 115
Joined: Fri Aug 01, 2003 7:40 pm
Location: Sask, Regina
Contact:

Post by genetix »

I'm pretty sure md5(); will work. I see it in a lot of other log in scripts.
Post Reply