PHP security: email + password Vs username + password

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
lauthiamkok
Forum Contributor
Posts: 153
Joined: Wed Apr 01, 2009 2:23 pm
Location: Plymouth, United Kingdom

PHP security: email + password Vs username + password

Post by lauthiamkok »

Hi,

I want to create a login form, I wonder what combination of information I should collect from the input fields for a better security -

email + password

or

username + password

another security issue, should I encrypt the password using sha1() for the better security? or can I save the password, such as 12345, as it is in my database? what risk I am taking if I don't encrypt the password?

Many thanks,
Lau
User avatar
twinedev
Forum Regular
Posts: 984
Joined: Tue Sep 28, 2010 11:41 am
Location: Columbus, Ohio

Re: PHP security: email + password Vs username + password

Post by twinedev »

You may want to check out this thread this is recent, it is pretty much the same exact topic.

viewtopic.php?f=34&t=120348

-Greg
lauthiamkok
Forum Contributor
Posts: 153
Joined: Wed Apr 01, 2009 2:23 pm
Location: Plymouth, United Kingdom

Re: PHP security: email + password Vs username + password

Post by lauthiamkok »

twinedev wrote:You may want to check out this thread this is recent, it is pretty much the same exact topic.

viewtopic.php?f=34&t=120348

-Greg
thanks Greg for this info. :)

but this thread doesn't answer my second concern though - encrypted password...
internet-solution
Forum Contributor
Posts: 220
Joined: Thu May 27, 2010 6:27 am
Location: UK

Re: PHP security: email + password Vs username + password

Post by internet-solution »

lauthiamkok wrote:
twinedev wrote:You may want to check out this thread this is recent, it is pretty much the same exact topic.

viewtopic.php?f=34&t=120348

-Greg
thanks Greg for this info. :)

but this thread doesn't answer my second concern though - encrypted password...
certainly encrypted
lauthiamkok
Forum Contributor
Posts: 153
Joined: Wed Apr 01, 2009 2:23 pm
Location: Plymouth, United Kingdom

Re: PHP security: email + password Vs username + password

Post by lauthiamkok »

internet-solution wrote:
lauthiamkok wrote:
twinedev wrote:You may want to check out this thread this is recent, it is pretty much the same exact topic.

viewtopic.php?f=34&t=120348

-Greg
thanks Greg for this info. :)

but this thread doesn't answer my second concern though - encrypted password...
certainly encrypted
thanks I am now looking into it :D
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: PHP security: email + password Vs username + password

Post by flying_circus »

internet-solution wrote:
lauthiamkok wrote:
twinedev wrote:You may want to check out this thread this is recent, it is pretty much the same exact topic.

viewtopic.php?f=34&t=120348

-Greg
thanks Greg for this info. :)

but this thread doesn't answer my second concern though - encrypted password...
certainly encrypted
I would not encrypt the password, I would hash it. Encryption implies that you can decrypt it, and thats not what you want for user privacy. Hashing is 1 way. Use a strong algorithm (stronger than sha1). Use atleast sha256, preferrably sha512. It's best to use a random user salt and likely a pepper too.

When your user logs in, you will hash the user supplied value (the same way you hased the password that is stored in the database) and then compare the two hash values. If they match, then the user supplied to correct password.
Post Reply