Hello. On my registration page i have:
<input type="password" name="pass"> So that the password is masked
Then once the register button has been pressed i have this:
$md5pass = md5($_POST['pass']);
and the md5pass gets inserted into the database.
How secure would you say this is?
Password security for my registration
Moderator: General Moderators
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
Re: Password security for my registration
I'd say it is close to the bare minimum, but it *is* generally secure.Doom87 wrote:How secure would you say this is?
Well it is being hashed so if any exploit was passed it wold be hashed and then made null. However fields that do not get hashed (user names, e-mail, etc) needs more validation. Personally (as do many others on this forum, and for that fact anyone with common sense) I never trust anything from users and always validate. And a good tip also with user input is never directly output user data i.e.
Search the forums there are tons of example of user input validation and registration logic. Hope this has helped
Code: Select all
echo $_GET['foo'];- The Phoenix
- Forum Contributor
- Posts: 294
- Joined: Fri Oct 06, 2006 8:12 pm
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
ZERO's suggestion, in case it may have confused you, is in regards to security issues beyond your actual passwords (which you likely have, judging by your question).
Also, if you are unsure as to what a salt is (as Phoenix has described), it's text that you add to a password. This could be the same word every time, but it's more secure if you generate different salts per-user. We've had a few discussions on password security. You should search the forums. Mordred's post may prove useful.
Also, if you are unsure as to what a salt is (as Phoenix has described), it's text that you add to a password. This could be the same word every time, but it's more secure if you generate different salts per-user. We've had a few discussions on password security. You should search the forums. Mordred's post may prove useful.
You are good at clarificationsuperdezign wrote:ZERO's suggestion, in case it may have confused you, is in regards to security issues beyond your actual passwords (which you likely have, judging by your question).
Also, if you are unsure as to what a salt is (as Phoenix has described), it's text that you add to a password. This could be the same word every time, but it's more secure if you generate different salts per-user. We've had a few discussions on password security. You should search the forums. Mordred's post may prove useful.
Here it is: viewtopic.php?t=62782, and in the comments you'll find linked a tutorial by Maugrim_The_Reaper on how to do client-side hashing for safer transport to the server, as The Phoenix suggested.