Hashing is not useless. The best you can do is salt your password and then hash with a slow hashing algorithm. The salt makes it more difficult to use a rainbow table (still completely possible), and the slow hashing algorithm makes it take longer to test against a rainbow table. If you're concerned about security, a slow hashing algorithm is the most important since with enough computing power, any password can be cracked. The slow hashes just require WAY more computing power.
MD5 is way too fast to be considered a good hashing algorithm for hashing passwords. Blowfish is a much slower hashing algorithm, but MySQL does not support it and PHP prior to 5.3 requires crypt(3) to be compiled with BCRYPT/BLOWFISH support. I suspect this is why the Zend documentation does not use it. I read some where that bcrypt with a high work factor is somewhere around 5,000 times slower than MD5. More info: http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php With that said, though I use MD5 for most of the sites I build. The following is my auth adapter setup: return new Zend_Auth_Adapter_DbTable( $dbAdapter, 'users', 'email', 'password', 'MD5(CONCAT(salt,?))' ); Notice that the salt column in the users database is concatenated with the user provided password prior to MD5 hashing. My setPassword() method generates a random salt which is 8 characters long. Konr On Thu, Oct 13, 2011 at 8:42 PM, David Muir <[email protected]> wrote: > I agree, but I was under the impression that even with salt, MD5 is > useless for protecting passwords. > > Cheers, > David > > On 10/14/2011 12:37 PM, Marco Pivetta wrote: >> The best you can do is adding some salt to it... That would make the >> rainbow table discovery useless... >> Marco Pivetta >> http://twitter.com/Ocramius >> http://marco-pivetta.com >> >> >> >> On 14 October 2011 03:34, David Muir <[email protected] >> <mailto:[email protected]>> wrote: >> >> MD5 is used in the example usage of /credentialTreatment/ for >> Zend_Auth_Adapter_DbTable: >> >> >> http://framework.zend.com/manual/en/zend.auth.adapter.dbtable.html#zend.auth.adapter.dbtable.advanced.advanced_usage >> >> Is this a good idea? Shouldn't something a bit more secure be used for >> passwords? >> >> Cheers, >> David >> >> > > -- List: [email protected] Info: http://framework.zend.com/archives Unsubscribe: [email protected]
