Storing passwords as plain text

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: egami, macek, gesf

Post Reply
User avatar
egami
php-forum GURU
php-forum GURU
Posts: 2192
Joined: Wed Oct 06, 2010 11:19 am
Location: Happy Valley, UT

Tue Oct 26, 2010 8:41 am

Well, if you're using authentication it should be over SSL.
But, in the case that you can't use SSL, then passing user information over cleartext is all you can do.

This can be accessible from anyone on a wireless connection, anyone on the ISP from and to the source and destination.


However, putting passwords in the DB will prevent that cracker from getting that users passwords and using them on other sites where they might be using the same password.

It's about ethics more than just security.

-B

User avatar
egami
php-forum GURU
php-forum GURU
Posts: 2192
Joined: Wed Oct 06, 2010 11:19 am
Location: Happy Valley, UT

Tue Oct 26, 2010 8:44 am

$password = md5($_REQUEST['password']); is the simplest form of encryption, but you can use seeds and other things to make it even more complicated.

I typically will use a random seed for the website, and append it to or prepend it to the password just to confuse any outsiders.

md5 password encryption along with another md5 seed attached together = good enough for government work.

-B

Post Reply
  • Information
  • Who is online

    Users browsing this forum: No registered users and 0 guests