Hi,
I want to create a login form, I wonder what combination of information I should collect from the input fields for a better security -
email + password
or
username + password
another security issue, should I encrypt the password using sha1() for the better security? or can I save the password, such as 12345, as it is in my database? what risk I am taking if I don't encrypt the password?
Many thanks,
Lau
PHP security: email + password Vs username + password
Moderator: General Moderators
-
lauthiamkok
- Forum Contributor
- Posts: 153
- Joined: Wed Apr 01, 2009 2:23 pm
- Location: Plymouth, United Kingdom
Re: PHP security: email + password Vs username + password
You may want to check out this thread this is recent, it is pretty much the same exact topic.
viewtopic.php?f=34&t=120348
-Greg
viewtopic.php?f=34&t=120348
-Greg
-
lauthiamkok
- Forum Contributor
- Posts: 153
- Joined: Wed Apr 01, 2009 2:23 pm
- Location: Plymouth, United Kingdom
Re: PHP security: email + password Vs username + password
thanks Greg for this info.twinedev wrote:You may want to check out this thread this is recent, it is pretty much the same exact topic.
viewtopic.php?f=34&t=120348
-Greg
but this thread doesn't answer my second concern though - encrypted password...
-
internet-solution
- Forum Contributor
- Posts: 220
- Joined: Thu May 27, 2010 6:27 am
- Location: UK
Re: PHP security: email + password Vs username + password
certainly encryptedlauthiamkok wrote:thanks Greg for this info.twinedev wrote:You may want to check out this thread this is recent, it is pretty much the same exact topic.
viewtopic.php?f=34&t=120348
-Greg
but this thread doesn't answer my second concern though - encrypted password...
-
lauthiamkok
- Forum Contributor
- Posts: 153
- Joined: Wed Apr 01, 2009 2:23 pm
- Location: Plymouth, United Kingdom
Re: PHP security: email + password Vs username + password
thanks I am now looking into itinternet-solution wrote:certainly encryptedlauthiamkok wrote:thanks Greg for this info.twinedev wrote:You may want to check out this thread this is recent, it is pretty much the same exact topic.
viewtopic.php?f=34&t=120348
-Greg
but this thread doesn't answer my second concern though - encrypted password...
- flying_circus
- Forum Regular
- Posts: 732
- Joined: Wed Mar 05, 2008 10:23 pm
- Location: Sunriver, OR
Re: PHP security: email + password Vs username + password
I would not encrypt the password, I would hash it. Encryption implies that you can decrypt it, and thats not what you want for user privacy. Hashing is 1 way. Use a strong algorithm (stronger than sha1). Use atleast sha256, preferrably sha512. It's best to use a random user salt and likely a pepper too.internet-solution wrote:certainly encryptedlauthiamkok wrote:thanks Greg for this info.twinedev wrote:You may want to check out this thread this is recent, it is pretty much the same exact topic.
viewtopic.php?f=34&t=120348
-Greg
but this thread doesn't answer my second concern though - encrypted password...
When your user logs in, you will hash the user supplied value (the same way you hased the password that is stored in the database) and then compare the two hash values. If they match, then the user supplied to correct password.