Page 1 of 1
PHP security: email + password Vs username + password
Posted: Sat Oct 09, 2010 8:24 am
by lauthiamkok
Hi,
I want to create a login form, I wonder what combination of information I should collect from the input fields for a better security -
email + password
or
username + password
another security issue, should I encrypt the password using sha1() for the better security? or can I save the password, such as 12345, as it is in my database? what risk I am taking if I don't encrypt the password?
Many thanks,
Lau
Re: PHP security: email + password Vs username + password
Posted: Sat Oct 09, 2010 8:31 am
by twinedev
You may want to check out this thread this is recent, it is pretty much the same exact topic.
viewtopic.php?f=34&t=120348
-Greg
Re: PHP security: email + password Vs username + password
Posted: Sat Oct 09, 2010 9:04 am
by lauthiamkok
twinedev wrote:You may want to check out this thread this is recent, it is pretty much the same exact topic.
viewtopic.php?f=34&t=120348
-Greg
thanks Greg for this info.
but this thread doesn't answer my second concern though - encrypted password...
Re: PHP security: email + password Vs username + password
Posted: Sat Oct 09, 2010 9:38 am
by internet-solution
lauthiamkok wrote:twinedev wrote:You may want to check out this thread this is recent, it is pretty much the same exact topic.
viewtopic.php?f=34&t=120348
-Greg
thanks Greg for this info.
but this thread doesn't answer my second concern though - encrypted password...
certainly encrypted
Re: PHP security: email + password Vs username + password
Posted: Sat Oct 09, 2010 9:54 am
by lauthiamkok
internet-solution wrote:lauthiamkok wrote:twinedev wrote:You may want to check out this thread this is recent, it is pretty much the same exact topic.
viewtopic.php?f=34&t=120348
-Greg
thanks Greg for this info.
but this thread doesn't answer my second concern though - encrypted password...
certainly encrypted
thanks I am now looking into it

Re: PHP security: email + password Vs username + password
Posted: Sat Oct 09, 2010 11:52 am
by flying_circus
internet-solution wrote:lauthiamkok wrote:twinedev wrote:You may want to check out this thread this is recent, it is pretty much the same exact topic.
viewtopic.php?f=34&t=120348
-Greg
thanks Greg for this info.
but this thread doesn't answer my second concern though - encrypted password...
certainly encrypted
I would not encrypt the password, I would hash it. Encryption implies that you can decrypt it, and thats not what you want for user privacy. Hashing is 1 way. Use a strong algorithm (stronger than sha1). Use atleast sha256, preferrably sha512. It's best to use a random user salt and likely a pepper too.
When your user logs in, you will hash the user supplied value (the same way you hased the password that is stored in the database) and then compare the two hash values. If they match, then the user supplied to correct password.