Thread: Password encryption?
View Single Post
02-16-2007, 05:02 AM
 #12
Zara is offline Zara
Status: Member
Join date: Apr 2006
Location:
Expertise:
Software:
 
Posts: 249
iTrader: 9 / 100%
 

Zara is on a distinguished road

  Old

Originally Posted by Amross View Post
Hashing a hash has numerous negative effects actually. A simple md5($salt.$password) [or a different hash if you prefer] would be more than sufficient in most cases. What is the point on going so overboard if you aren't something that would justify that, such as a bank? There are tons of real world examples that you would never be so extensive over something so simple, why is hashing any different?
Honestly, the extra security in a matter of 10 or so keystrokes is well worth it in my opinion. md5($salt.$password) may not be sufficient because encryptions are used to protect passwords even if the database is hacked... Therefore, if someone takes an MD5 hash to an MD5 hash library and finds a password 1171601767barneylove or what ever... Odds are they will be able to find out that 1171601767 is the users registration date as a unix timestamp which means barneylove would be the password.

And with any system I write and most php developers, we make a single class to handle all of the user functions. We'd write those extra 10 characters maybe 2 times max... Once for the user login function and once for the user registration function.

You are saying it has numerous negative effects, please do inform me. I have not heard of any, and the fact that nearly every php programmer I know uses the same methods as I do makes me very curious.