> -----Original Message-----
> From: Thodoris [mailto:[EMAIL PROTECTED]
> Sent: Friday, September 19, 2008 7:42 AM
> To: [EMAIL PROTECTED]
> Cc: php-general@lists.php.net
> Subject: Re: [PHP] Adding encryption to passwords
>
>
> > I use SHA-256 (use hash - php.net/manual/en/function.hash.php),
> > because its a little bit more secure then md5 or SHA-1.
> >
> > BTW: Don't forget the salts..
> >
>
> Thanks for the feedback guys it was quite helpful.
Be wary, though--the salt suggestion is good advice. It helps to avoid what is
known as "rainbow cracking," where basically a dictionary is hashed and used to
brute-force your encrypted hash by comparison. "Salt" is just a bit of extra
text (a difficult combination to "guess") hashed in with the text you are
crypting.
I.e., imagine you have a function "hash()" which receives input text and
generates a hash from it (md5, sha-1, whatever):
$hashedText = hash("1-+ThiS/iS[[My&592SaLT!!/" . $textToHash);
You could take it to the next level like phpBB does and lock it down further:
$salt = "1-+ThiS/iS[[My&592SaLT!!/";
$hashedText = hash(hash($salt) . hash($salt . $textToHash)
...either example makes it much more difficult for a cracker than just hashing
a dictionary and trying each result.
HTH,
Todd Boyd
Web Programmer
