OK, encrypting passwords.
For security's sake, it is best to put a password through some sort of hashing function (which is exactly what the MD5 and crypt functions are).
What this means that some mathematical formula is run over the password and a simplified number that relates to the original password string is created. Note, with hashing functions it is
impossible to retrieve the original password from the hashed version.
So, if this password is only one-way, how can we verify it with the password entered by the user trying to get into our site? Easy! All we have to do is compare the MD5 hash of the entered in password with that of the original password stored in our database like so:
Code: Select all
if (md5ї$_POSTї'password']) == $databaseMD5Password) {
// The passwords match
}
else {
// Oops, the user has entered the wrong password
}
The only way to crack this type of password is through
brute force which means trying every possible password's MD5 hash with the one in the database.
However, be warned! Most sites will send the user password from the client (browser) to the server in clear text. The only real way to secure this data is via SSL otherwise, all a hacker has to do is sniff the packets coming into your server for all the plain text passwords being sent for authentication.
Hope this helps.
:: Kondro ::