Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Storing Passwords

Options
  • 03-04-2007 8:22am
    #1
    daryllsheridan
    Closed Accounts Posts: 44


    In the very early stages of designing a site and im just messing around with the login / register features

    What are people's opinions on storing passwords? From a security point of view and a general usability point of view!

    Site will be just for general info (its going to be student related) and i wont be storing any sensitive information but still know the passwords should be encrypted

    Is storing as MD5 the best solution (i know this has its own problem as regards lost passwords etc)

    Or is a two way encryption better? Havent really had much luck finding a good 2 way encryption algorithim (if anybody knows one that'd be cool)


Comments

  • Options
    #2
    Trampas
    Registered Users Posts: 7,427 ✭✭✭Trampas


    Some DMBS systems allow fields to be a password field so all appears in the database is **** for the characters


  • Options
    #3
    chakotha
    Registered Users Posts: 912 ✭✭✭chakotha


    I have found Blowfish straightforward to use.

    http://pear.php.net/package/Crypt_Blowfish

    or this looks faster to get going but I haven't tried it

    http://codewalkers.com/seecode/593.html


  • Options
    #4
    NutJob
    Closed Accounts Posts: 884 ✭✭✭NutJob


    MD5 is fine but remember to seed the passwords so a straight md5lookup is useless.

    php example
    http://ie.php.net/manual/en/function.md5.php#56934


    As for the lost password problem just use the email back a message to verify a user is who they claim method.


  • Options
    #5
    Hobbes
    Registered Users Posts: 21,264 ✭✭✭✭Hobbes


    I'd go with one way encryption. Public / Private key.

    Then when they enter the password to login you encrypted it and compare the encryptions.


  • Options
    #6
    The Corinthian
    Closed Accounts Posts: 19,777 ✭✭✭✭The Corinthian


    Store your users/passwords as database users with just the bare necessary rights on the database in question.


  • Advertisement
  • Options
    #7
    Martyr
    Closed Accounts Posts: 1,567 ✭✭✭Martyr


    NutJob wrote:
    MD5 is fine but remember to seed the passwords so a straight md5lookup is useless.

    php example
    http://ie.php.net/manual/en/function.md5.php#56934


    As for the lost password problem just use the email back a message to verify a user is who they claim method.

    i would second this this suggestion.


Advertisement