galexcd 0 Report post Posted March 10, 2008 Well, I just wanna ask you if it's good or appropriate way to encrypt the password. I checked the entry on PHPMyAdmin, and it does really encrypt the password. So, I can do that?!Well I'm not quite sure if sha1() is an sql function but I may be wrong, but it is a php function. And yes sha1 is a good encryption to use for encrypting passwords. It is similar to md5 but the hash is longer. Share this post Link to post Share on other sites
rvalkass 5 Report post Posted March 10, 2008 Well, I just wanna ask you if it's good or appropriate way to encrypt the password. I checked the entry on PHPMyAdmin, and it does really encrypt the password. So, I can do that?!SHA1 is a good way to encrypt passwords at the moment. You would also be wise to 'salt' the passwords. This is a way to prevent against dictionary attacks. Many people are still stupid enough to pick a single dictionary word as a password. That is incredibly insecure, even if the password is hashed. A good idea is to 'salt' the password. That simply means adding some random values to the end of the password, before hashing it and saving it in the database. To do this, when the password is created, also create some random data using the rand() function, or something similar. Put this random value on the end of the user's password, then hash it, then put it in the database. You also need to store the random data in the database!!! Then, to check the password entered by a user, take their username, and pull the relevant piece of random data, along with the hash for their password from the database. Tag the stored random data onto the end of the password they entered, and hash that whole string. If that matches the one in the database then the password they entered is correct. It can seem a little complicated at first, but it is much more secure than just hashing a user-entered password. Share this post Link to post Share on other sites
jlhaslip 4 Report post Posted March 10, 2008 A good idea is to 'salt' the passwordCheck the code that is posted above. It is using a salt value already.INSERT INTO login (username,password,email,activated) value ('admin',sha1(concat('yourpasswordhere','0dAfghRqSTgx')),'youremailhere','1'); Share this post Link to post Share on other sites
rvalkass 5 Report post Posted March 10, 2008 Check the code that is posted above. It is using a salt value already. INSERT INTO login (username,password,email,activated) value ('admin',sha1(concat('yourpasswordhere','0dAfghRqSTgx')),'youremailhere','1'); Personally I prefer a random salt rather than a fixed one. A fixed salt requires one edited dictionary file. Whereas a system with a different hash for each person requires an entirely separate dictionary, and corresponding hashes, for each user. Share this post Link to post Share on other sites
alex1985 0 Report post Posted March 11, 2008 Thanks you guys. I will try to use yours, it seems better for me. Share this post Link to post Share on other sites