On Fri, May 6, 2011 at 8:50 AM, Jeff Pang <jeffrp...@gmail.com> wrote: > No. there is no such thing called decryption if you want to protect > your passwords strictly.
Agreed. > Generally we crypt the user's password with md5 or similar and > store them to a database. When user input their username and > password from the web from to login, we re-encrypt the > password and compare it to the database. Basically, yes. You use some kind of one-way hashing function (i.e., something that can't practically be reversed) and store the result of that. Later when the user enters their password you hash what they entered and compare it to the stored hash. Often you also generate a user-specific "salt", which you combine with the password in some standard way prior to hashing so that the same passwords will appear different in the database for different users (for a slight bit of extra security). > The encryption function could be md5: AFAIK, MD5 is no longer considered secure so you should probably use something better for optimal results. I'm not sure what you should use, but I'm sure if you ask the Web you will find plenty of advice. >From Wikipedia[1]: > US-CERT of the U. S. Department of Homeland Security said MD5 > "should be considered cryptographically broken and unsuitable > for further use," and most U.S. government applications now > require the SHA-2 family of hash functions. [1] http://en.wikipedia.org/wiki/MD5 -- Brandon McCaig <http://www.bamccaig.com/> <bamcc...@gmail.com> V zrna gur orfg jvgu jung V fnl. Vg qbrfa'g nyjnlf fbhaq gung jnl. Castopulence Software <http://www.castopulence.org/> <bamcc...@castopulence.org> -- To unsubscribe, e-mail: beginners-unsubscr...@perl.org For additional commands, e-mail: beginners-h...@perl.org http://learn.perl.org/
