Storing passwords in database
Posted: Mon Jul 12, 2010 9:24 am
Hello
I've just started looking into encryption for storing passwords in a mysql database and every article I read says something different. In the past I've just used md5() to encrypt the passwords and after some reading md5 is supposedly not very safe.
I've read up on using salts when encrypting. From my understanding salts are just used to prevent rainbow table attacks (correct me if I'm wrong). Now if someone is able to get a copy of my entire database to use a rainbow table attack on, wouldn't they easily be able to find out the salt I am using?
Below is what I am currently thinking of doing.
With what I stated above if someone is able to get a copy of my database, wouldn't they be able to get a copy of my .php script that shows how it is getting encrypted making the salt worthless?
Any help would be greatly appreciated thanks.
I've just started looking into encryption for storing passwords in a mysql database and every article I read says something different. In the past I've just used md5() to encrypt the passwords and after some reading md5 is supposedly not very safe.
I've read up on using salts when encrypting. From my understanding salts are just used to prevent rainbow table attacks (correct me if I'm wrong). Now if someone is able to get a copy of my entire database to use a rainbow table attack on, wouldn't they easily be able to find out the salt I am using?
Below is what I am currently thinking of doing.
Code: Select all
$userjoindate = "1278929952"; //this is grabbed from the database
$pass = "abc";
$salt = "klsdfsjlk8kjwlew89huj" . $pass . $userjoindate;
$pass = $salt . hash("whirlpool",$salt); Any help would be greatly appreciated thanks.