Page 2 of 2

Posted: Tue Aug 19, 2003 4:29 pm
by phice
greenhorn666 wrote:

Code: Select all

$password = md5($password);
What the heck do you think you are doing?
crypting the password? because you are NOT!!!
md5 produces a non-readable value for the password, thus crypting it. :) No need to use all caps, either. Thanks.

Posted: Wed Aug 20, 2003 2:36 am
by greenhorn666
It does result in a "non-readable value for the password" in some way, while it isn't the password crypted, it is an hash value for the password...
The thing is in order to encrypt well enough you need to seed your encryption... Hence the crypt() function. You should try a lookup on google on md5 hash password encryption, and you'll see what security experts think about it... It is indeed harder than plain text password (while don't forget that the password goes uncrypted over the network), but the point in crypting password is to protect your password list (à la /etc/passwd, /etc/shadow) to get stolen. Using MD5 hash values as password isn't securing them; anyone could break them in about hours...
And 2nd point, never should 2 same password produce the same encrypted (hence the salt), and you don't get this with the MD5() alone!

I think in this case uppercase where more than welcome, secutiry doesn't come thru obscuration and when I see someone coding this I think he has to know he is doing pretty much wrong!

Posted: Fri Aug 29, 2003 8:11 pm
by genetix
What about the default options you get from mysql? The encript() and decript() functions? Are those any good? Some people say they arn't

Posted: Fri Aug 29, 2003 8:53 pm
by d-m
If you wanna a simple thing you can even use the :
base64_encode() and base64_decode()
:lol:

Posted: Sat Aug 30, 2003 6:35 pm
by genetix
never heard of that. Is it the same as encode() decode()???

Posted: Tue Sep 02, 2003 5:56 pm
by genetix
I'm pretty sure md5(); will work. I see it in a lot of other log in scripts.